Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
XML external entity injection via File Upload - Vulnerability Database

XML external entity injection via File Upload

Description

XML External Entity (XXE) injection is a vulnerability that occurs when an XML parser processes untrusted XML input containing references to external entities. XML parsers can be instructed to retrieve and include content from external sources (files, URLs) using entity declarations in the Document Type Definition (DTD). When user-controlled XML is uploaded and parsed without proper restrictions, attackers can craft malicious XML documents that reference sensitive local files or internal network resources. This vulnerability was identified in a file upload functionality where the application processes uploaded XML files without disabling external entity resolution.

Remediation

Implement the following security measures to prevent XXE injection attacks:

1. Disable External Entity Processing (Recommended):
Configure your XML parser to disable DTD processing and external entity resolution entirely. Implementation varies by parser:

For Java (DocumentBuilderFactory):

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);

For PHP (libxml):
libxml_disable_entity_loader(true);
$dom = new DOMDocument();
$dom->loadXML($xml, LIBXML_NOENT | LIBXML_DTDLOAD | LIBXML_DTDATTR);

For .NET:
XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Prohibit;
settings.XmlResolver = null;
XmlReader reader = XmlReader.Create(stream, settings);

2. Input Validation:
Validate uploaded files to ensure they are legitimate XML documents and reject files containing DOCTYPE declarations or entity references if external entities are not required.

3. Use Less Complex Data Formats:
Where possible, use simpler data formats like JSON instead of XML to avoid XXE vulnerabilities entirely.

4. Keep XML Processors Updated:
Ensure all XML parsing libraries are updated to the latest versions with security patches applied.

References

CWE-611: Information Exposure Through XML External Entity Reference
XXE (Xml eXternal Entity) attack
XML External Entity (XXE) Processing

Related Vulnerabilities

XML external entity injection (variant) High
Common tags: Abuse Of Functionality Configuration Denial Of Service Information Disclosure XXE OOB Vulnerabilities
XML External Entity Injection via external file High
Common tags: Abuse Of Functionality Configuration Denial Of Service Information Disclosure XXE OOB Vulnerabilities
XML external entity injection High
Common tags: Abuse Of Functionality Configuration Denial Of Service Information Disclosure XXE OOB Vulnerabilities
XML external entity injection and XML injection High
Common tags: Abuse Of Functionality Configuration Denial Of Service Information Disclosure XXE
XML entity injection High
Common tags: Abuse Of Functionality Configuration Denial Of Service Information Disclosure XXE

Severity

High

Classification

CWE-611
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality
Configuration
Denial Of Service
Information Disclosure
XXE
OOB Vulnerabilities