Improper restriction of XML external entity reference (XXE) in PHP

#VU9867 Improper restriction of XML external entity reference (XXE) in PHP

Published: 2016-05-22 | Updated: 2018-01-04

Vulnerability identifier: #VU9867

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2015-8866

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description
The vulnerability allows a remote attacker to perform XXE. attcks.

The vulnerability exists in ext/libxml/libxml.c when using PHP-FPM due to improper isolation of each threat from libxml_disable_entity_loader changes in other threads. A remote attacker can perform XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document.

Note: this vulnerability is known at least since 2013 and it was patched several times.

Mitigation
Update to version 7.0.27.

Vulnerable software versions

PHP: 7.2.0, 7.0.0 - 7.0.26, 7.1.0 - 7.1.12, 5.6.0 - 5.6.32, 5.5.0 - 5.5.38, 5.4.15 - 5.4.44

Fixed software versions

CPE

cpe:2.3:a:php_group:php:7.2.0:*:*:*:*:*:*:*

External links
http://www.openwall.com/lists/oss-security/2016/04/24/1
http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9
http://www.php.net/ChangeLog-5.php
http://bugs.php.net/bug.php?id=64938

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Plesk Onyx update for PHP

Multiple vulnerabilities in PHP