Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:58341
Return-Path: <simonsimcity@googlemail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 50435 invoked from network); 29 Feb 2012 18:30:20 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 Feb 2012 18:30:20 -0000
Authentication-Results: pb1.pair.com header.from=simonsimcity@googlemail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=simonsimcity@googlemail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain googlemail.com designates 209.85.214.170 as permitted sender)
X-PHP-List-Original-Sender: simonsimcity@googlemail.com
X-Host-Fingerprint: 209.85.214.170 mail-tul01m020-f170.google.com  
Received: from [209.85.214.170] ([209.85.214.170:56317] helo=mail-tul01m020-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C4/C0-46815-ABE6E4F4 for <internals@lists.php.net>; Wed, 29 Feb 2012 13:30:18 -0500
Received: by obbwd1 with SMTP id wd1so2048639obb.29
        for <internals@lists.php.net>; Wed, 29 Feb 2012 10:30:15 -0800 (PST)
Received-SPF: pass (google.com: domain of simonsimcity@googlemail.com designates 10.182.124.41 as permitted sender) client-ip=10.182.124.41;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of simonsimcity@googlemail.com designates 10.182.124.41 as permitted sender) smtp.mail=simonsimcity@googlemail.com; dkim=pass header.i=simonsimcity@googlemail.com
Received: from mr.google.com ([10.182.124.41])
        by 10.182.124.41 with SMTP id mf9mr536600obb.65.1330540215672 (num_hops = 1);
        Wed, 29 Feb 2012 10:30:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=Few+G/G8gOx+b+Gck7Iz4LgN3ySAf4aoOO7qW59p09c=;
        b=RmiN1N4w6YxAP42YYf5goL1ZX+TrzvktVrrlQAXFVDrlqIm3CqEbUQQn8WaGVlQuaU
         v5P935CsbIzUg68vMxKUXqROXo+NICSU6PQz5TrLuvx9lHrsSmAlcMCWMrEyJZGS4P2m
         8qDXbj02iZcxwkqBkPwYNN3SjX2KXpd1HKw0Q=
MIME-Version: 1.0
Received: by 10.182.124.41 with SMTP id mf9mr459948obb.65.1330540215618; Wed,
 29 Feb 2012 10:30:15 -0800 (PST)
Received: by 10.60.7.229 with HTTP; Wed, 29 Feb 2012 10:30:15 -0800 (PST)
Date: Wed, 29 Feb 2012 19:30:15 +0100
Message-ID: <CAJWj5+F5Dxi4yQrTuqyM7AVUkA2fbzEtx5JDzENV+i2XyT9NRg@mail.gmail.com>
To: PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=f46d0444eebbe94cb904ba1e88d4
Subject: Vulnerability by loading doctype-declaration of xml
From: simonsimcity@googlemail.com (Simon Schick)

--f46d0444eebbe94cb904ba1e88d4
Content-Type: text/plain; charset=UTF-8

Hi, all

I just read this post about a vulnerability by loading doctype-declaration
of an xml-string given in a request:
http://www.idontplaydarts.com/2011/02/scanning-the-internal-network-using-simplexml/

Would it be a good point to restrict which urls can be loaded in the
doctype, or is the following line the only possibility to prevent it in a
good way?
libxml_disable_entity_loader(true);

Bye
Simon

--f46d0444eebbe94cb904ba1e88d4--