[Bug 1509817] [NEW] libxml_disable_entity_loader is not theadsafe
Launchpad Bug Tracker
1509817 at bugs.launchpad.net
Fri Oct 30 07:28:32 UTC 2015
*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Robie Basak (racb):
libxml's libxml_disable_entity_loader was not threadsafe on php-fpm
prior to 5.5.22 and 5.6.6. This allowed attackers to perform an XXE
attack even though the entity loader was disabled in your code.
Zend came up with a separate library for this:
https://github.com/zendframework/ZendXml however I don't think it is
that widely used and the fix itself is hard: the library itself had to
be patched again ([ZF2015-06])
AFAIK the patch to fix this issue has not yet been backported. I think
it would be a much needed security enhancement, given that the
workaround is hard and as history has shown prone to complicated unicode
encoding attacks.
For more information, please see:
* https://bugs.php.net/bug.php?id=64938 (fixed in 5.5.22)
* https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
** Affects: php5 (Ubuntu)
Importance: Undecided
Status: Confirmed
** Affects: php5 (Ubuntu Trusty)
Importance: Undecided
Status: New
** Tags: xml xxe
--
libxml_disable_entity_loader is not theadsafe
https://bugs.launchpad.net/bugs/1509817
You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report.
More information about the Ubuntu-server-bugs
mailing list