A4 – External Entities (XXE)
XML is method of marking data for processing by wrapping tags in your whatever-named elements, like
<whatever>. A very common example is RSS feed, they’re just XML files, containing
In XML v1.0 entity declarations were allowed, basically allowing variables. Entities can be values or files, sourcing from internal or external.
<?xml... <!DOCTYPE mydata[ <!ENTITY author "Good Guy"> ]> <mydata>&author;</mydata>
An XXE attack occurs when an XML is user supplied, and contains malicious data, like so:
<?xml... <!DOCTYPE mydata[ <!ENTITY author "Good Guy"> <!ENTITY attack SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]> ]> <mydata>&author; &attack;</mydata>
If the data is processed,
<mydata> will now include the contents of
How do we fight this?
In PHP we have
libxml_disable_entity_loader(true); which prevents the attack perfecting by disabling the ability to load external entities.
What about WordPress?
WordPress’s core prevents against XXE for some core functionality, but this does little for third party plugins. Each author using XML parsing needs to remember to ensure external entities cannot be run. A quick search on google reveals there have been many breaches of this on many open source plugins.
As (what will quickly become a recurring pattern on this post):
As a developer, you need be aware of this attack and audit (it’s open source after all) third party themes and plugins that may of missed this vulnerability.