Redhat.comRH:CVE-2023-3823CVE-2023-3823
A flaw was found in PHP due to inadequate validation of user-supplied XML input. By leveraging specially crafted XML code, a remote attacker could obtain sensitive information by viewing the contents of arbitrary files on the system or initiating requests to external systems. This issue may allow unauthorized access to sensitive data and the potential for network scanning of internal and external infrastructure.
Mitigation
To avoid XML external entity attacks, either disable external entity loading if it's not necessary for your application or change the default external entity loader by using libxml_set_external_entity_loader. This can be used to suppress the expansion of arbitrary external entities. For PHP versions prior to 8.0, the following should be set when using the default PHP XML parser in order to prevent XXE:
<https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php>
Related
