XXE attack in 3.x - Githubissues

slimphp / Slim

Slim is a PHP micro framework that helps you quickly write simple yet powerful web applications and APIs.

http://slimframework.com

MIT License

11.98k stars 1.95k forks source link

XXE attack in 3.x #1623

Closed phith0n closed 8 years ago

phith0n commented 8 years ago

Just like https://github.com/slimphp/Slim/pull/610 XXE attack also affects slim framework 3.x, While my application accept post data, attacker can read arbitrary file or lead to other system impacts. show a screen cupture of XXE attack result: The vulnerability code:

$app->post("/info", function($request, $response) {
    $parsedBody = $request->getParsedBody();
    print_r($parsedBody);
});

akrabat commented 8 years ago

Fixed in #1624. Thank you very much for the report.