Yesterday, the Sonarsource people disclosed a nice XXE in Wordpress, aka CVE-2021-29447, likely found by the RIPS scanner that they acquired last year.
As explained in their blogpost, the issue was in wp-includes/ID3/getid3.lib.php:
if (PHP_VERSION_ID < 80000) {
// This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is
// disabled by default, so this function is no longer needed to protect against XXE attacks.
$loader = libxml_disable_entity_loader(true);
}
$XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT);
Plot twist: the LIBEXML_NOENT doesn't
disable external entities, it means that entities
should be expanded so that no entity nodes should be created inside the parsed
document, which is completely stupid and misleading, especially for a
security-sensitive knob.
Anyway, Snuffleupagus anti-XXE mechanism was supposed to save the day, except it didn't, because as PHP's documentation says:
Disable/enable the ability to load external entities. Note that disabling the loading of external entities may cause general issues with loading XML documents. However, as of libxml 2.9.0 entity substitution is disabled by default, so there is no need to disable the loading of external entities, unless there is the need to resolve internal entity references with
LIBXML_NOENT.
So it's disabled by default, except when you want to actually use it
explicitly, as discretely highlighted by
PHP's own testsuite.
The proper™ way now being to use
libxml_set_external_entity_loader instead,
which Snuffleupagus didn't.
Wordpress patched it by invoking libxml_disable_entity_loader no matter the
PHP version, but if you can't upgrade,
the virtual-patch is simple enough:
sp.disable_function("simplexml_load_string").param("2").value("2").drop();
The next version of Snuffleupagus that should be released at the beginning of May will implement a defence in depth against XXE, mitigating this vulnerability.