Audit required: Entity substitution can be vulnerable to XXE attacks PHP-A1010

XML specification allows the use of entities that can be internal or external(file system or network, etc.) which could lead to vulnerabilities such as SSRF or confidential file disclosures. Therefore, enabling external entity substitution via LIBXML_NOENT option can make an application vulnerable to XML External Entity (XXE) attacks.

In past it has led to the following vulnerabilities:

• CVE-2012-2239
• CVE-2012-4399
• CVE-2011-4107

It is recommended to not enable entity substitution via LIBXML_NOENT option. Also, libxml_set_external_entity_loader function can be used to suppress the expansion of arbitrary external entities to avoid XXE attacks, even when LIBXML_NOENT has been set.

Bad practice

$dom = new DOMDocument();

// sensitive: `LIBXML_NOENT` constant will enable external entity substitution
$dom->load('config.xml', LIBXML_NOENT);

Recommended

$dom = new DOMDocument();
$dom->load('config.xml');

References

• OWASP Top 10:2021 > A05 - Security Misconfiguration
• OWASP Top 10:2017 > A04 - XML External Entities (XXE)
• CWE-611: Improper Restriction of XML External Entity Reference
• CWE-827: Improper Control of Document Type Definition