PHP XXE Injection Vulnerability Allows Attackers to Access Config Files & Private Keys

A newly uncovered XML External Entity (XXE) injection vulnerability in PHP has demonstrated how attackers can bypass multiple security mechanisms to access sensitive configuration files and private keys.

The vulnerability, detailed by web application security researcher Aleksandr Zhurnakov, highlights the risks posed by improper XML parsing configurations, even in seemingly secure implementations.

The exploit leverages a combination of PHP’s libxml extension and its wrappers, enabling attackers to bypass restrictions such as LIBXML_NONET, LIBXML_DTDLOAD, and other flags.

These flags are designed to prevent loading external entities or accessing external resources, but the research reveals how they can be circumvented using advanced payloads and techniques.

Bypassing Security Flags and Filters

The vulnerability arises from the way PHP handles XML parsing via the DOMDocument class. By default, external entity loading is disabled, but certain flags like LIBXML_DTDLOAD allow attackers to load malicious DTD files.

These files can then be crafted to exfiltrate data such as /etc/passwd or private keys by exploiting PHP wrappers like php://filter.

One of the critical bypasses involves replacing http:// URLs with alternative wrappers such as php://filter/resource=, effectively sidestepping the LIBXML_NONET restriction.

Additionally, by abusing parameter entities (%name;), attackers can inject malicious content into the XML structure before security checks are applied.

Further complicating matters, the research demonstrates how payloads can be compressed using filters like zlib.deflate and encoded in base64 to reduce their size, allowing them to fit within common server constraints for GET parameters or query strings.

According to PT Swarm Report, this approach also facilitates exfiltration via DNS subdomains when outbound TCP connections are blocked on the server.

Real-World Implications and CVE Assignment

The vulnerability has already been observed in specific applications.

For instance, an XXE flaw in SimpleSAMLphp (CVE-2024-52596) allowed unauthenticated users to read configuration files, extract private keys, and forge authentication assertions.

This effectively enabled attackers to bypass authentication mechanisms entirely when SimpleSAMLphp was configured as an Identity Provider.

Zhurnakov’s research underscores the importance of secure XML parsing practices in PHP applications.

Developers are advised to disable all unnecessary libxml flags (LIBXML_DTDLOAD, LIBXML_NOENT, etc.) and ensure that the latest PHP versions with enhanced XXE protections (such as LIBXML_NO_XXE introduced in PHP 8.4) are deployed.

This vulnerability serves as a stark reminder of how complex attack vectors can emerge from seemingly minor misconfigurations, emphasizing the need for rigorous testing and secure coding practices in web application development.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.