Shulou(Shulou.com)06/01 Report--

Cause of vulnerability:

The parsing of XML files depends on the libxml library, while the previous version of libxml 2.9 supports and enables references to external entities by default. When parsing xml files submitted by users, the server does not properly handle the external entities referenced by xml files (including external ordinary entities and external parameter entities).

Impact:

Common XML parsing methods are: DOMDocument, SimpleXML, XMLReader, these three are based on libxml library parsing XML, so all are affected, xml_parse function is based on expact parser, the default does not load external DTD, unaffected.

Repair:

Php uses libxml_disable_entity_loader (true) to disable the loading of external entities before parsing the xml file.

* Code:

& xxe;EOF;$xml = simplexml_load_string ($xmlstring); print_r ($xml);? >

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.