XML specification allows the use of entities that can be internal or external(file system or network, etc.) which could lead to vulnerabilities such as SSRF or confidential file disclosures. Therefore, enabling external entity substitution via
LIBXML_NOENT option can make an application vulnerable to XML External Entity (XXE) attacks.
In past it has led to the following vulnerabilities:
It is recommended to not enable entity substitution via
LIBXML_NOENT option. Also,
libxml_set_external_entity_loader function can be used to suppress the expansion of arbitrary external entities to avoid XXE attacks, even when
LIBXML_NOENT has been set.
$dom = new DOMDocument(); // sensitive: `LIBXML_NOENT` constant will enable external entity substitution $dom->load('config.xml', LIBXML_NOENT);
$dom = new DOMDocument(); $dom->load('config.xml');