Re: XXE (Xml eXternal Entity) attack

[Matt Sergeant <msergeant () startechgroup co uk>]

Gregory Steuck said the following on 30/10/02 00:30:
>  * Unauthorized access to data stored as XML files on the parsing
>    system file system (of course the attacker still needs a way to
>    get these data back)

An XML external parsed entity doesn't need to be XML. It can be plain 
text as long as it doesn't contain un-escaped less-than or ampersand 
characters. The classic example would be /etc/passwd.

Try parsing the following, e.g. with xmllint --noent

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY passwd SYSTEM "/etc/passwd">
]>
<foo>
&passwd;
</foo>

The data could potentially be returned by a poorly written error handler 
(of course such an error handler is also probably subject to XSS 
vulnerabilities too).

Matt.