XXe Vulnerability in PHP Framework Slim architecture (XXe typical form of existence)

"Chinese New Year, every day to send a previous inventory, altogether seven articles." 】

The emergence of modern CMS framework (Laraval/symfony/slim), leading to the current PHP vulnerability point, principle, use of methods, there have been some changes, this series hope to summarize their own mining this kind of CMS vulnerability.

Slim is a well-known design concept of the famous PHP light frame, the perfect combination of PSR7 to design, so far users have more than 100w:

In the process of reading its source code, I found that there is a only in the framework of the CMS will appear in the vulnerability.

Official website: http://www.slimframework.com/

Vulnerability Details

This vulnerability exists in the latest version (3.0). First installed with the Conposer

Composer require Slim/slim "^3.0@RC"

Look at its documentation: Http://www.slimframework.com/docs/objects/request.html#the-request-body get post data, is using the Getparsedbody method, And this method of post processing, according to Content-type to distinguish and parse:

A typical question, which is also mentioned in this post: http://zone.wooyun.org/content/19908 sometimes helps developers with "busy" things he might not need, like slimphp here, The content-type of the regular post is application/x-www-form-urlencoded, but as long as I change it to Application/json, I can pass in the JSON-formatted post data, Modified to Application/xml, I can pass in XML format data. This feature will cause two problems:

1. WAF Bypass
2. XXe vulnerabilities that may exist

WAF bypasses this certainly needless to say, conventional WAF typically detects only application/x-www-form-urlencoded data, and once the data type is modified, it kills the major WAF. XXe is the focus of this vulnerability. We see the code that resolves the body:

Public function __construct ($method, Uriinterface $uri, headersinterface $headers, array $cookies, array $serverParams, S        Treaminterface $body, array $uploadedFiles = []) {$this->originalmethod = $this->filtermethod ($method);        $this->uri = $uri;        $this->headers = $headers;        $this->cookies = $cookies;        $this->serverparams = $serverParams;        $this->attributes = new Collection ();        $this->body = $body;        $this->uploadedfiles = $uploadedFiles; if (! $this->headers->has (' host ') | | $this->uri->gethost ()!== ") {$this->headers->set (' host        ', $this->uri->gethost ()); } $this->registermediatypeparser (' Application/json ', function ($input) {return Json_decode ($input, t        Rue);        });        $this->registermediatypeparser (' Application/xml ', function ($input) {return simplexml_load_string ($input);        }); $this->registermediatyPeparser (' Text/xml ', function ($input) {return simplexml_load_string ($input);        }); $this->registermediatypeparser (' application/x-www-form-urlencoded ', function ($input) {parse_str ($input, $d            ATA);        return $data;    }); }

The parsing code is actually written as a callback function in the constructor of the request class. It can be seen that the simplexml_load_string parsing $input is called directly, resulting in an XML entity injection vulnerability. Therefore, the CMS developed with the SLIM Framework 3.0 will be affected by this XXe vulnerability as long as the post data is acquired.

Proof of vulnerability

Write one of the simplest demo pages, with only one function to get post information and output:

Require ' vendor/autoload.php '; $app = new \slim\app (); $app->post ("/post", Function ($request, $response) {    $ Parsedbody = $request->getparsedbody ();    Print_r ($parsedBody);}); $app->run ();

Built in three white hats: http://520fdc0ca2c37864f.jie.sangebaimao.com/

Normal Request:

Trigger XXe Vulnerability and read/etc/passwd:

Bug fixes

In the SLIMPHP2, the authorities have dealt with the piece:

/**     * Parse XML     *     * This method creates a simplexmlelement     * based upon the XML input. If the SimpleXML     * extension is not available, the raw input     * would be returned unchanged.     *     * @param  string                  $input     * @return \simplexmlelement|string */    protected function Parsexml ($input)    {        if (class_exists (' simplexmlelement ')) {            try {                $backup = Libxml_disable_ Entity_loader (true);                $result = new \simplexmlelement ($input);                Libxml_disable_entity_loader ($backup);                return $result;            } catch (\exception $e) {                //Do Nothing            }        }        return $input;    }

Somehow the official ignored the issue in version 3.0. I guess there are two possible reasons:

1. The official noted the problem, but that the 3.0 version of the PHP version of the requirements of more than 5.5, and mistakenly think that more than 5.5 of PHP is no longer the XXe of the hidden dangers. In fact, the parsing of XML external entities is not related to the PHP version, but rather to the Libxml library version at compile time.
2. The issue has not yet been noted by officials.

The former is more likely to be felt. So the solution is also in accordance with the 2 program.

