php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76042 XMLReader::read() Information Leaked
Submitted: 2018-03-02 03:08 UTC Modified: 2018-03-02 22:00 UTC
From: zhihua dot yao at dbappsecurity dot com dot cn Assigned:
Status: Not a bug Package: XML Reader
PHP Version: 7.2.3 OS:
Private report: No CVE-ID: None
 [2018-03-02 03:08 UTC] zhihua dot yao at dbappsecurity dot com dot cn
Description:
------------
This function gives some warnings.But it shoudn't leak any information.

Test script:
---------------
<?php
$xml = new XMLReader();
$xml->open("file:///etc/passwd");
$xml->read();
$xml->close();


Expected result:
----------------
Warning: XMLReader::read(): /etc/passwd:1: parser error : Document is empty in /home/hackyzh/Desktop/poc.php on line 5

Warning: XMLReader::read(): ^ in /home/hackyzh/Desktop/poc.php on line 5

Actual result:
--------------
Warning: XMLReader::read(): /etc/passwd:1: parser error : Document is empty in /home/hackyzh/Desktop/poc.php on line 5

Warning: XMLReader::read(): root:x:0:0:root:/root:/bin/bash in /home/hackyzh/Desktop/poc.php on line 5

Warning: XMLReader::read(): ^ in /home/hackyzh/Desktop/poc.php on line 5


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-02 06:54 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2018-03-02 06:54 UTC] stas@php.net
Where is the security issue? You read the file, it's not XML, you get some warnings. Where's the security issue?
 [2018-03-02 07:22 UTC] zhihua dot yao at dbappsecurity dot com dot cn
-Status: Feedback +Status: Open
 [2018-03-02 07:22 UTC] zhihua dot yao at dbappsecurity dot com dot cn
Warning: XMLReader::read(): root:x:0:0:root:/root:/bin/bash in /home/hackyzh/Desktop/poc.php on line 5

It read the file '/etc/passwd'.
 [2018-03-02 08:17 UTC] stas@php.net
Of course it read the file, you told it to read the file.
 [2018-03-02 08:17 UTC] stas@php.net
-Status: Open +Status: Not a bug
 [2018-03-02 08:17 UTC] stas@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.


 [2018-03-02 08:26 UTC] zhihua dot yao at dbappsecurity dot com dot cn
According to my understanding, because this is not an xml, it should not output anything that is not xml.
 [2018-03-02 22:00 UTC] stas@php.net
-Type: Security +Type: Bug
 [2018-03-02 22:00 UTC] stas@php.net
This understanding is incorrect, error messages can contain other things and it is explicitly insecure to leave error messages exposed to site visitors. Not only this is not a security issue, this is not an issue at all, it's working as it was supposed to.
 [2018-03-02 23:02 UTC] spam2 at rhsoft dot net
when your webserver is allowed to read /etc unconditional you are lost anyways - full stop
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Dec 01 06:01:23 2020 UTC