Welcome! Log In Create A New Profile

Advanced

[PHP-DEV] Vulnerability by loading doctype-declaration of xml

Posted by Simon Schick 
Simon Schick
[PHP-DEV] Vulnerability by loading doctype-declaration of xml
February 29, 2012 07:31PM
Hi, all

I just read this post about a vulnerability by loading doctype-declaration
of an xml-string given in a request:
http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/

Would it be a good point to restrict which urls can be loaded in the
doctype, or is the following line the only possibility to prevent it in a
good way?
libxml_disable_entity_loader(true);

Bye
Simon
On Wed, 29 Feb 2012 19:30:15 +0100, Simon Schick
<[email protected]> wrote:

> I just read this post about a vulnerability by loading
> doctype-declaration
> of an xml-string given in a request:
> http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/
>
> Would it be a good point to restrict which urls can be loaded in the
> doctype, or is the following line the only possibility to prevent it in a
> good way?
> libxml_disable_entity_loader(true);
>

In PHP 5.4, you can use libxml_set_external_entity_loader() and define
your own logic. I'm afraid it's not documented yet, but it receives a
callback that takes two strings, a public id and system id and a context
(an array with four keys). The callback should return a resource, a string
from which a resource can be opened, or NULL.

--
Gustavo Lopes

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Using DOM, this can be achieved with $domDocument->resolveExternals =
false; before loading a document.

Julien.P

On Wed, Feb 29, 2012 at 9:52 PM, Gustavo Lopes <[email protected]>wrote:

> On Wed, 29 Feb 2012 19:30:15 +0100, Simon Schick <
> [email protected]> wrote:
>
> I just read this post about a vulnerability by loading doctype-declaration
>> of an xml-string given in a request:
>> http://www.idontplaydarts.com/**2011/02/scanning-the-internal-**
>> network-using-simplexml/http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/
>>
>> Would it be a good point to restrict which urls can be loaded in the
>> doctype, or is the following line the only possibility to prevent it in a
>> good way?
>> libxml_disable_entity_loader(**true);
>>
>>
> In PHP 5.4, you can use libxml_set_external_entity_**loader() and define
> your own logic. I'm afraid it's not documented yet, but it receives a
> callback that takes two strings, a public id and system id and a context
> (an array with four keys). The callback should return a resource, a string
> from which a resource can be opened, or NULL.
>
> --
> Gustavo Lopes
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Sorry, only registered users may post in this forum.

Click here to login