Security Advisory: ZF2014-01

ZF2014-01: Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse

Numerous components utilizing PHP's DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:

• XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
• XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.

Action Taken

Continuing on the patches performed in ZF2012-02 and ZF2012-05, we extended the patch to all the usage of the PHP functions simplexml_load_*, DOMDocument::loadXML, and xml_parse, in order to prevent XXE and XEE attacks across the framework.

We have provided new components, Zend_Xml_Security in ZF1 and the standalone ZendXml, that scan and load XML documents to prevent the previous attacks. The XXE attack is prevented using the libxml_disable_entity_loader() function to disable the loading of ENTITY nodes. The XXE attack is prevented by checking for the presence of ENTITY elements in the document type declaration; in such cases, we throw an Exception with an error message indicating that we don't accept ENTITY declarations in XML documents for security reasons.

Moreover, because of PHP bug 64938, we have decided to manage the PHP-FPM scenario using an heuristic approach. We perform a search inside the XML string to find usage of any <!ENTITY" element, and, on detection, raise an exception.

Note: the libxml library used by PHP to manage XML documents has been fixed against XEE attacks starting from libxml2 version 2.9. If you are using this version you can use the existing PHP functions without security concerns.

The following components/libraries were patched, at the version specified:

• Zend Framework 1, version 1.12.4
• Zend Framework 2, versions 2.1.6 and 2.2.6
• ZendOpenId, version 2.0.2
• ZendRest, version 2.0.2
• ZendService_Amazon, version 2.0.3
• ZendService_Api, version 1.0.0
• ZendService_AudioScrobbler, version 2.0.2
• ZendService_Nirvanix, version 2.0.2
• ZendService_SlideShare, version 2.0.2
• ZendService_Technorati, version 2.0.2
• ZendService_WindowsAzure, version 2.0.2

Other Information

About XML eXternal Entity (XXE) attacks:

• https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
• http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html

About XML Entity Expansion (XEE) attacks:

• http://en.wikipedia.org/wiki/Billion_laughs
• http://projects.webappsec.org/w/page/13247002/XML%20Entity%20Expansion
• http://cwe.mitre.org/data/definitions/776.html

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

• Lukas Reschke (lukas@owncloud.org) for reporting the potential XXE attacks in some components of ZF1, not previously fixed, and to suggest a possible fix for PHP-FPM scenarios
• Pádraic Brady (padraic.brady@gmail.com) for implementing the first XEE security patch (ZF2012-02)
• Enrico Zimuel (enrico@zend.com) for improving the previous solution, extending it to all the use cases.

Released 2014-03-06

Back to advisories

• Overview
• Advisories
• Feed