php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76042 XMLReader::read() Information Leaked
Submitted: 2018-03-02 03:08 UTC Modified: 2018-03-02 22:00 UTC
From: zhihua dot yao at dbappsecurity dot com dot cn Assigned:
Status: Not a bug Package: XML Reader
PHP Version: 7.2.3 OS:
Private report: No CVE-ID: None
View Developer Edit
 [2018-03-02 03:08 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
Description:
------------
This function gives some warnings.But it shoudn't leak any information.

Test script:
---------------
<?php
$xml = new XMLReader();
$xml->open("file:///etc/passwd");
$xml->read();
$xml->close();


Expected result:
----------------
Warning: XMLReader::read(): /etc/passwd:1: parser error : Document is empty in /home/hackyzh/Desktop/poc.php on line 5

Warning: XMLReader::read(): ^ in /home/hackyzh/Desktop/poc.php on line 5

Actual result:
--------------
Warning: XMLReader::read(): /etc/passwd:1: parser error : Document is empty in /home/hackyzh/Desktop/poc.php on line 5

Warning: XMLReader::read(): root:x:0:0:root:/root:/bin/bash in /home/hackyzh/Desktop/poc.php on line 5

Warning: XMLReader::read(): ^ in /home/hackyzh/Desktop/poc.php on line 5

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-02 06:54 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2018-03-02 06:54 UTC] stas@php.net 
Where is the security issue? You read the file, it's not XML, you get some warnings. Where's the security issue?
 [2018-03-02 07:22 UTC] zhihua dot yao at dbappsecurity dot com dot cn
-Status: Feedback +Status: Open
 [2018-03-02 07:22 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
Warning: XMLReader::read(): root:x:0:0:root:/root:/bin/bash in /home/hackyzh/Desktop/poc.php on line 5

It read the file '/etc/passwd'.
 [2018-03-02 08:17 UTC] stas@php.net 
Of course it read the file, you told it to read the file.
 [2018-03-02 08:17 UTC] stas@php.net
-Status: Open +Status: Not a bug
 [2018-03-02 08:17 UTC] stas@php.net 
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.
 [2018-03-02 08:26 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
According to my understanding, because this is not an xml, it should not output anything that is not xml.
 [2018-03-02 22:00 UTC] stas@php.net
-Type: Security +Type: Bug
 [2018-03-02 22:00 UTC] stas@php.net 
This understanding is incorrect, error messages can contain other things and it is explicitly insecure to leave error messages exposed to site visitors. Not only this is not a security issue, this is not an issue at all, it's working as it was supposed to.
 [2018-03-02 23:02 UTC] spam2 at rhsoft dot net 
when your webserver is allowed to read /etc unconditional you are lost anyways - full stop
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Dec 26 21:01:28 2024 UTC