Information Leak Through XML External Entity File Disclosure |
Weakness ID: 611 (Weakness Variant) | Status: Draft |
Description Summary
Extended Description
XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of "XML entities". It is possible to define an entity locally by providing a substitution string in the form of a URL whose content is substituted for the XML entity when the DTD is processed. The attack can be launched by defining an XML entity whose content is a file URL (which, when processed by the receiving end, is mapped into a file on the server), that is embedded in the XML document, and thus, is fed to the processing application. This application may echo back the data (e.g. in an error message), thereby exposing the file contents.
Reference | Description |
---|---|
CVE-2005-1306 | A browser control can allow remote attackers to determine the existence of files via Javascript containing XML script, aka the "XML External Entity vulnerability." |
It's important to note that a URL can have non-HTTP schemes, especially, that a URL such as "file:///c:/winnt/win.ini" designates (in Windows) the file C:\Winnt\win.ini. Similarly, a URL can be used to designate any file on any drive. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Base | 538 | File and Directory Information Exposure | Development Concepts (primary)699 Research Concepts1000 |
ChildOf | Weakness Class | 610 | Externally Controlled Reference to a Resource in Another Sphere | Research Concepts1000 |
ChildOf | Weakness Class | 673 | External Influence of Sphere Definition | Research Concepts (primary)1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
Anonymous Tool Vendor (under NDA) | |||
WASC | 43 | XML External Entities |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
Anonymous Tool Vendor (under NDA) | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Description, Relationships, Observed Example, Other Notes, Taxonomy Mappings |