Numerous components utilizing PHP's DOMDocument
, SimpleXML
, and xml_parse
functionality are vulnerable to two types of attacks:
Continuing on the patches performed in ZF2012-02
and ZF2012-05, we extended the patch to
all the usage of the PHP functions simplexml_load_*
, DOMDocument::loadXML
,
and xml_parse
, in order to prevent XXE and XEE attacks across the framework.
We have provided new components, Zend_Xml_Security
in ZF1 and the standalone
ZendXml
, that scan and load XML documents to prevent the previous attacks. The
XXE attack is prevented using the libxml_disable_entity_loader()
function to
disable the loading of ENTITY nodes. The XXE attack is prevented by checking for
the presence of ENTITY elements in the document type declaration; in such cases,
we throw an Exception with an error message indicating that we don't accept
ENTITY declarations in XML documents for security reasons.
Moreover, because of PHP bug 64938, we
have decided to manage the PHP-FPM scenario using an heuristic approach. We
perform a search inside the XML string to find usage of any <!ENTITY"
element,
and, on detection, raise an exception.
Note: the libxml library used by PHP to manage XML documents has been fixed against XEE attacks starting from libxml2 version 2.9. If you are using this version you can use the existing PHP functions without security concerns.
The following components/libraries were patched, at the version specified:
About XML eXternal Entity (XXE) attacks:
About XML Entity Expansion (XEE) attacks:
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Released 2014-03-06
Have you identified a security vulnerability?
Please report it to us at zf-security@zend.com