Nelson's Weblog: tech / bad / xmlCode

Parsing XML can open network sockets

XML is bad for data transfer for lots of reasons. It's slow to parse, awfully wordy, doesn't support 8 bit data, etc etc. But my favourite thing is how most XML consumers can be induced to open arbitrary URLs.

There's a 4+ year old security hole in many XML parsers called XXE, the Xml eXternal Entity attack. Take a look:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE doc [
  <!ENTITY passwd SYSTEM "file:///etc/passwd">
  <!ENTITY http SYSTEM "http://example.com/delAll">
]>
<eyeAmH4xor>
  &passwd; &http;
</eyeAmH4xor>

Don't let all the pointy-parentheses confuse you (although they're a good reason to hate XML too). What's going on there is my document has defined two new entities called passwd and http and then used them. They're defined as expanding to the contents of URIs.

About 3/4 of the XML applications I've encountered out there will blindly do as ordered and load the URIs. The app will load the password file, at which point a clever hacker can usually induce the application to send it back to them (as an error message, for instance). Even better it will load the HTTP URL. Yes, many XML applications will load any URL you tell them to. From the app server. Nice, huh?

XXE is an old bug, but it keeps coming back because most people using XML would never think their little XML parser can be instructed to start opening network sockets. Acrobat had this bug just last year. XML parsers usually have obscure options to secure them, but many have them off by default. Why are we using a data format where this is possible at all?

tech • bad
2006-08-17 00:48 Z


Mastodon @nelson@tech.lgbt Linkblog Wed 2024-11-20 Francis Williams painting The Platonic Blow Tue 2024-11-19 EmojiRain Bantam Tools Artframe Using OSM vector tiles Starlink sold out Fine-tuning LLMs at home Bluesky starter packs Mon 2024-11-18 Carbon Mapper Sun 2024-11-17 Love, Acceptance, and Screeching Modems Voyager 1 backup radio Gay Tblisi Usenet feed growth Methane mapping City99 console font Sat 2024-11-16 Lorraine Gervais Sill Justin's Linklog Thune 2004 blog campaign Fri 2024-11-15 Open source garage door Search Archives 2023 12 11 10 09 08 07 06 05 04 03 02 01 2022 12 11 10 09 08 07 06 05 04 03 02 01 2021 12 11 10 09 08 07 06 05 04 03 02 01 2020 12 11 10 09 08 07 06 05 04 03 02 01 2019 12 11 10 09 08 07 06 05 04 03 02 01 2018 12 11 10 09 08 07 06 05 04 03 02 01 2017 12 11 10 09 08 07 06 05 04 03 02 01 2016 12 11 10 09 08 07 06 05 04 03 02 01 2015 12 11 10 09 08 07 06 05 04 03 02 01 2014 12 11 10 09 08 07 06 05 04 03 02 01 2013 12 11 10 09 08 07 06 05 04 03 02 01 2012 12 11 10 09 08 07 06 05 04 03 02 01 2011 12 11 10 09 08 07 06 05 04 03 02 01 2010 12 11 10 09 08 07 06 05 04 03 02 01 2009 12 11 10 09 08 07 06 05 04 03 02 01 2008 12 11 10 09 08 07 06 05 04 03 02 01 2007 12 11 10 09 08 07 06 05 04 03 02 01 2006 12 11 10 09 08 07 06 05 04 03 02 01 2005 12 11 10 09 08 07 06 05 04 03 02 01 2004 12 11 10 09 08 07 06 05 04 03 02 01 2003 12 11 10 09 08 07 06 05 04 03 02 01 2002 12 11 10 09 08 07 06 05 04 03 02 01 2001 12 11 10 09 08 07 One good site MDN Nelson Minar nelson@monkey.org Blog licensed under a Creative Commons License		Parsing XML can open network sockets XML is bad for data transfer for lots of reasons. It's slow to parse, awfully wordy, doesn't support 8 bit data, etc etc. But my favourite thing is how most XML consumers can be induced to open arbitrary URLs. There's a 4+ year old security hole in many XML parsers called XXE, the Xml eXternal Entity attack. Take a look: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE doc [ <!ENTITY passwd SYSTEM "file:///etc/passwd"> <!ENTITY http SYSTEM "http://example.com/delAll"> ]> <eyeAmH4xor> &passwd; &http; </eyeAmH4xor> Don't let all the pointy-parentheses confuse you (although they're a good reason to hate XML too). What's going on there is my document has defined two new entities called passwd and http and then used them. They're defined as expanding to the contents of URIs. About 3/4 of the XML applications I've encountered out there will blindly do as ordered and load the URIs. The app will load the password file, at which point a clever hacker can usually induce the application to send it back to them (as an error message, for instance). Even better it will load the HTTP URL. Yes, many XML applications will load any URL you tell them to. From the app server. Nice, huh? XXE is an old bug, but it keeps coming back because most people using XML would never think their little XML parser can be instructed to start opening network sockets. Acrobat had this bug just last year. XML parsers usually have obscure options to secure them, but many have them off by default. Why are we using a data format where this is possible at all? tech • bad 2006-08-17 00:48 Z Nelson's Weblog • tech • bad