Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

XML External Entity Injection (XXE) is a common attack against XML parsers. When a full XML file or user input being inserted into pre-formatted XML file, a user can include entities. These entities allow for reading files on the local machine, SSRF and sometimes, even RCE. This attack is devastating when it is found.

In Wordpress, there is a Media Library that allows users to upload media files for their blog post. To extract meta information from these files, WordPress uses the getID3 library where some of this information is parsed an XML data.

In previous versions of the XML parser, Wordpress explicitly turned off entity loading for simplexml_load_string. This was because a vulnerability was discovered in this component back in 2014. So, they patched it but what is the issue?

With PHP8, the function libxml_disable_entity_loader was deprecated because the library by default does not parse entities. So, in versions of PHP 8+ the code is not ran.

However, the flags for the function specify LIBXML_NOENT which ENABLES the entity substitution! Damn, one would think that by using the default off version of the library that this bug would be fixed. It simply reintroduced the bug into the ecosystem.

This vulnerability is exploitable in several locations but all comes up to the bug above. This just goes to show that patching is just as hard as writing secure code in the first place. If I were participating in ZDI, I would just look at patches of old bugs and see if they were sufficient.