• <cite id="jdh17"></cite>
    <ins id="jdh17"></ins>
    <var id="jdh17"></var>
    <ins id="jdh17"><span id="jdh17"><var id="jdh17"></var></span></ins>
    <var id="jdh17"></var>
    <cite id="jdh17"><span id="jdh17"></span></cite>
    <var id="jdh17"></var>
    <thead id="jdh17"><strike id="jdh17"><listing id="jdh17"></listing></strike></thead>
    <cite id="jdh17"><video id="jdh17"><menuitem id="jdh17"></menuitem></video></cite>

    Security

    Security Advisory: ZF2014-01

    ZF2014-01: Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse

    Numerous components utilizing PHP's DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:

    • XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
    • XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.

    Action Taken

    Continuing on the patches performed in ZF2012-02 and ZF2012-05, we extended the patch to all the usage of the PHP functions simplexml_load_*, DOMDocument::loadXML, and xml_parse, in order to prevent XXE and XEE attacks across the framework.

    We have provided new components, Zend_Xml_Security in ZF1 and the standalone ZendXml, that scan and load XML documents to prevent the previous attacks. The XXE attack is prevented using the libxml_disable_entity_loader() function to disable the loading of ENTITY nodes. The XXE attack is prevented by checking for the presence of ENTITY elements in the document type declaration; in such cases, we throw an Exception with an error message indicating that we don't accept ENTITY declarations in XML documents for security reasons.

    Moreover, because of PHP bug 64938, we have decided to manage the PHP-FPM scenario using an heuristic approach. We perform a search inside the XML string to find usage of any <!ENTITY" element, and, on detection, raise an exception.

    Note: the libxml library used by PHP to manage XML documents has been fixed against XEE attacks starting from libxml2 version 2.9. If you are using this version you can use the existing PHP functions without security concerns.

    The following components/libraries were patched, at the version specified:

    Other Information

    About XML eXternal Entity (XXE) attacks:

    Released 2014-03-06

    Back to advisories

    Have you identified a security vulnerability?

    Please report it to us at [email protected]

    Copyright

    © 2006-2019 by Zend, a Rogue Wave Company. Made with by awesome contributors.

    This website is built using zend-expressive and it runs on PHP 7.

    Contacts

    六合特码资料
  • <cite id="jdh17"></cite>
    <ins id="jdh17"></ins>
    <var id="jdh17"></var>
    <ins id="jdh17"><span id="jdh17"><var id="jdh17"></var></span></ins>
    <var id="jdh17"></var>
    <cite id="jdh17"><span id="jdh17"></span></cite>
    <var id="jdh17"></var>
    <thead id="jdh17"><strike id="jdh17"><listing id="jdh17"></listing></strike></thead>
    <cite id="jdh17"><video id="jdh17"><menuitem id="jdh17"></menuitem></video></cite>
  • <cite id="jdh17"></cite>
    <ins id="jdh17"></ins>
    <var id="jdh17"></var>
    <ins id="jdh17"><span id="jdh17"><var id="jdh17"></var></span></ins>
    <var id="jdh17"></var>
    <cite id="jdh17"><span id="jdh17"></span></cite>
    <var id="jdh17"></var>
    <thead id="jdh17"><strike id="jdh17"><listing id="jdh17"></listing></strike></thead>
    <cite id="jdh17"><video id="jdh17"><menuitem id="jdh17"></menuitem></video></cite>
    澳客彩票登陆 蝌蚪网2019网站 拱趴十三水下载 为什么捕鱼达人2下不了 福建时时11选5 分分彩开奖 赛车pk10规则 十三水棋牌下载 沙巴体育发现非正常投注意思 四川时时服务电话