#8 Fix XML::Parser::Expat vulnerability (XXE bug)


(as described by Randy Ray)

Basically, the expat parser that lives under the hood of
XML::Parser::Expat will try to resolve external entities if
they match a declaration specified in the DTD. This can
be used to cause a web service based on XML::Parser
(or a toolkit that uses it) to be hung, to open arbitrary
local files, etc. The exploit he showed me was:

1. Assume you have nc listening on port 8000
2. Send the following:

<?xml version="1.0"?>
ENTITY ll system "http://somehost:8000">


That's very simplified (and I probably declared the
DOCTYPE block wrong, but I didn't feel like looking it
up), but it shows the problem. Even though expat
is non-validating, it will try to look up entities.

You can get around this by declaring a ExternEnt event
handler for the parser object's class. In both Ken's case
and mine, we just return an empty string (the proscribed
syntax is described in the man page). I also issue a
warning, Ken doesn't bother.

Technically, a SOAP message isn't supposed to have a
DOCTYPE, nor should XML-RPC. But this exploit could
kick in before a parse-engine like either of ours has a
chance to react to that.


  • Pavel Kulchenko

    Pavel Kulchenko - 2003-06-02
    • summary: XML::Parser::Expat vulnerability (XXE bug) --> Fix XML::Parser::Expat vulnerability (XXE bug)
  • Pavel Kulchenko

    Pavel Kulchenko - 2003-08-11
    • status: open --> closed

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks