Php framework slim has a XXE vulnerability that occurs only in the Framework CMS.

Php framework slim has a XXE vulnerability that occurs only in the Framework CMS.

The emergence of the modern cms framework (laraval/symfony/slim) has led to some changes in the current php vulnerabilities, principles, and utilization methods, in this series, we hope to summarize the cms vulnerabilities we have discovered.

Slim is a well-known php light framework with advanced design ideas. It works perfectly with psr7, and has more than 100 million users so far:

When I read the source code, I found that there is a vulnerability that only occurs in the framework CMS.

Http://www.slimframework.com/

Vulnerability details

This vulnerability exists in the latest version (3.0.
First install it with conposer

Composer require slim/slim "^ 3.0 @ RC"

See its documentation: http://www.slimframework.com/docs/objects/request.html#the-request-body
The getParsedBody method is used to obtain POST data. The POST processing method is differentiated and parsed according to content-type:

A typical problem is that sometimes the framework will help developers with "busy" that they might not need, such as slimphp, the content-type of a conventional POST is application/x-www-form-urlencoded, but as long as I change it to application/json, I can pass in POST data in json format, if you change it to application/xml, You can input data in XML format. This feature will cause two problems:
WAF Bypass
Possible XXE Vulnerability
WAF does not need to bypass this. In general, WAF only checks the data of application/x-www-form-urlencoded. Once the data type is modified, it will kill WAF. XXE is the focus of this vulnerability. We can see the code for parsing the body:
Public function _ construct ($ method, UriInterface $ uri, HeadersInterface $ headers, array $ cookies, array $ serverParams, StreamInterface $ body, array $ uploadedFiles = [])
{
$ This-> originalMethod = $ this-> filterMethod ($ method );
$ This-> uri = $ uri;
$ This-> headers = $ headers;
$ This-> cookies = $ cookies;
$ This-> serverParams = $ serverParams;
$ This-> attributes = new Collection ();
$ This-> body = $ body;
$ This-> uploadedFiles = $ uploadedFiles;
If (! $ This-> headers-> has ('host') | $ this-> uri-> getHost ()! = ''){
$ This-> headers-> set ('host', $ this-> uri-> getHost ());
}
$ This-> registerMediaTypeParser ('application/json', function ($ input ){
Return json_decode ($ input, true );
});
$ This-> registerMediaTypeParser ('application/xml', function ($ input ){
Return simplexml_load_string ($ input );
});
$ This-> registerMediaTypeParser ('text/xml', function ($ input ){
Return simplexml_load_string ($ input );
});
$ This-> registerMediaTypeParser ('application/x-www-form-urlencoded', function ($ input ){
Parse_str ($ input, $ data );
Return $ data;
});
}
In fact, the parsing code is written in the construction method of the Request class as a callback function. We can see that simplexml_load_string is directly called to parse $ input, resulting in the XML Entity injection vulnerability. Therefore, CMS developed with slim framework 3.0 will be affected by this XXE vulnerability as long as POST data is obtained.
Vulnerability proof
Compile a simple demo page with only one function for obtaining POST information and outputting it:
Require 'vendor/autoload. php ';
$ App = new \ Slim \ App ();
$ App-> post ("/post", function ($ request, $ response ){
$ ParsedBody = $ request-> getParsedBody ();
Print_r ($ parsedBody );
});
$ App-> run ();
Built on three white hats: http://520fdc0ca2c31664f.jie.sange?mao.com/normal request:
 

Trigger the XXE vulnerability and read/etc/passwd:

Vulnerability repair

In slimphp2, the official website handles this part:

/**
* Parse XML
*
* This method creates a SimpleXMLElement
* Based upon the XML input. If the SimpleXML
* Extension is not available, the raw input
* Will be returned unchanged.
*
* @ Param string $ input
* @ Return \ SimpleXMLElement | string
*/
Protected function parseXml ($ input)
{
If (class_exists ('simplexmlelement ')){
Try {
$ Backup = libxml_disable_entity_loader (true );
$ Result = new \ SimpleXMLElement ($ input );
Libxml_disable_entity_loader ($ backup );
Return $ result;
} Catch (\ Exception $ e ){
// Do nothing
}
}
Return $ input;
}
 

 

I wonder why the official version of 3.0 ignores this issue.
I guess there may be two reasons:

The official team noticed this problem, but thought that the php version required by version 3.0 is later than Version 5.5, And the mistake was that php version 5.5 or later does not have the possibility of XXE. However, XML external entity Parsing is not related to the php version, but to the libxml library version during compilation.
The official team has not noticed this problem.
I feel that the former is more likely.
Therefore, the solution is based on the solution in step 2.