I've stumbled upon an exploit method which I haven't really had time to investigate before. XML eXternal Entity is said to be susceptible of a server-side type of injection. I can specify a Document Type Declaration (DOCTYPE) to define the structure of XML. Inside the DOCTYPE I can define entities and assign particular values to them. Then I can use the entities in the XML code and the parser will replace them with their values.
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE doc[
<!ENTITY pwd SYSTEM "file:///etc/passwd">
]>
<query>
<name>Kiuhnm</name>
<profession>&pwd;</profession>
</query>
So in which case I can read arbitrary files. My question is: is it possible to forge an XML-based patch or I should do this on server-level and disallow reading of files from the outside?
Aucun commentaire:
Enregistrer un commentaire