Security researchers have uncovered a sophisticated XML External Entity (XXE) injection vulnerability in PHP applications that could allow attackers to access sensitive configuration files and private keys.
The vulnerability, discovered by researcher Aleksandr Zhurnakov, affects PHP applications using certain libxml flags during XML processing, potentially exposing critical server-side information even with standard security measures in place.
The vulnerability enables attackers to bypass multiple security mechanisms designed to prevent XXE attacks, including the LIBXML_NONET flag which is intended to block external network connections during XML parsing.
.png
)
This attack vector works even when developers follow seemingly secure coding practices.
Analysts at PT Swarm identified that the exploitation chain involves a complex series of bypasses that together create what they describe as an “almost impossible XXE vulnerability.”
.webp)
Their analysis shows the attack could be particularly devastating for identity providers and authentication systems.
The technical core of the vulnerability involves exploiting the way PHP’s libxml extension processes XML Parameter Entities.
A vulnerable code pattern identified in the research involves using the loadXML function with the LIBXML_DTDLOAD flag, as seen in this code snippet:-
$doc = new \DOMDocument();
$doc->loadXML($_POST['user_input']);
$xml = $doc->saveXML();
$doc = new \DOMDocument('1.0', 'UTF-8');
$doc->loadXML($xml, LIBXML_DTDLOAD | LIBXML_NONET);The exploitation process involves crafting a special DOCTYPE declaration that bypasses filtering mechanisms.
The attacker can then use PHP wrapper techniques combined with Parameter Entity abuse to read local files and exfiltrate their contents.
Real-World Impact
The vulnerability has already been discovered in SimpleSAMLphp (CVE-2024-52596), where it allowed unauthorized users to read configuration files and access private keys used for signing SAML assertions.
This effectively permitted complete bypass of authentication mechanisms for SimpleSAMLphp installations configured as Identity Providers.
What makes this vulnerability particularly concerning is that it works without the need for the LIBXML_NOENT or LIBXML_DTDVALID flags, which are typically required for XXE exploitation.
It also demonstrates techniques for bypassing network restrictions using the data: protocol combined with PHP filters.
Security experts recommend immediately updating affected applications and implementing proper XML parsing configurations that explicitly disable DTD processing using the LIBXML_NO_XXE flag introduced in PHP 8.4.0.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
