search

streetcomplete / sc-statistics-service

Statistics generation service for StreetComplete
GNU General Public License v3.0
10 stars 4 forks source link

Possible XML External Entity Injection #2

Closed exploide closed 4 years ago

exploide commented 4 years ago

In the following location, untrusted XML is loaded via simplexml_load_string:

https://github.com/westnordost/sc-statistics-service/blob/85d3ad2f585123dc554923928df58f0f15951e35/ChangesetsParser.class.php#L10

Processing untrusted XML could possibly introduce a XML External Entity Injection vulnerability where files from the server could be exfiltrated. In theory, PHP even allows executing code this way.

While it is possible that the default configuration on your system is safe, it is not guaranteed. Hence it is recommended to explicitly set libxml_disable_entity_loader(true); beforehand.

westnordost commented 4 years ago

That's interesting, thank you!