Fixed DoS due to XXE in xmlBundle

[d3m0n-r00t]

📊 Metadata *

Denial of Service(DoS) due to XML Entity Injection.

Bounty URL: https://www.huntr.dev/bounties/1-packagist-desperado%2Fxml-bundle/

⚙️ Description *

The xmlBundle package is vulnerable to XML External Entity (XXE) Injection which can result in denial of service attacks.

💻 Technical Description *

Fixed XXE Injection by adding libxml_disable_entity_loader.

🐛 Proof of Concept (PoC) *

<?php

include 'autoload.php';
use Desperado\XmlBundle\Model\XmlReader;

        $xmlString = '<?xml version="1.0" standalone="no" ?>
<!DOCTYPE request [
<!ENTITY a0 "dosdosdosdosdosdosdosdosdosdosdosdosdosdosdosdosdosdos">
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
]>
<request>
                          <Details>
                              <PaymentParameters>
                                  <first_node>first_node_value</first_node>
                                  <second_node>&a1;</second_node>
                              </PaymentParameters>
                          </Details>
                      </request>';

        $xmlReader = new XmlReader;

	var_dump($xmlReader->processConvert($xmlString));
?>

Referance: pravednik#2

🔥 Proof of Fix (PoF) *

libxml_disable_entity_loader(true);

👍 User Acceptance Testing (UAT)

I am not sure on the fix. But with proper review we can fix this issue.
Fix Referance: openid/php-openid@625c16b

[huntr-helper]

Congratulations d3m0n-r00t - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord