mahara-contributors team mailing list archive

Thread
Date

[Bug 1047111] Re: XEE possible in mahara

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Melissa Draper <melissa@xxxxxxxxxxxxx>
Date: Fri, 14 Sep 2012 01:58:23 -0000
Reply-to: Bug 1047111 <1047111@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Description changed:

- libxml_disable_entity_loader(true) is never called in mahara, which
- means that xml functionalities are vulnerable to
- http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities
+ There is a security issue with the default XML parser for PHP, where ENTITY fields are
+ loaded and substituted in text parts. 
  
- can be fixed by adding libxml_disable_entity_loader(true) in init.
+ This allows possible attackers to read from internal networks, or files readable by the
+ web server user.
+ 
+ This includes reading of the config.php file, which contains sensitive information such
+ as the database password, and the password salt field.
+ 
+ The fix for this was to include a call to libxml_disable_entity_loader(true) during the
+ initialization of a page.
+ 
+ More information can be found at the following:
+  http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities
+  http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
  
  Reported by Mike Haworth.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1047111

Title:
  XEE possible in mahara

Status in Mahara ePortfolio:
  Confirmed
Status in Mahara 1.4 series:
  Fix Released
Status in Mahara 1.5 series:
  Fix Released

Bug description:
  There is a security issue with the default XML parser for PHP, where ENTITY fields are
  loaded and substituted in text parts. 

  This allows possible attackers to read from internal networks, or files readable by the
  web server user.

  This includes reading of the config.php file, which contains sensitive information such
  as the database password, and the password salt field.

  The fix for this was to include a call to libxml_disable_entity_loader(true) during the
  initialization of a page.

  More information can be found at the following:
   http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities
   http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html

  Reported by Mike Haworth.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1047111/+subscriptions