PHP XXE Vulnerability Exposes Config Files & Private Keys to Attackers

A critical vulnerability in PHP’s XML parsing mechanisms has been uncovered, enabling attackers to bypass multiple security restrictions and gain unauthorized access to sensitive server data.

This flaw, categorized as an XML External Entity (XXE) vulnerability, allows attackers to exfiltrate configuration files, private keys, and other sensitive information stored on the server.

Technical Overview of the Vulnerability

The vulnerability arises from the improper handling of XML input in PHP’s DOMDocument class.

Despite safeguards like disabling external entity loading by default and implementing flags such as LIBXML_NONET, LIBXML_DTDLOAD, and LIBXML_NOENT, researchers demonstrated that these defenses can be bypassed using advanced techniques.

The attack leverages parameter entities (%entity;) to inject malicious payloads during the XML parsing process.

By exploiting inconsistencies in libxml2—the underlying library for PHP’s XML processing—attackers can load external resources or manipulate data streams using PHP wrappers like php://filter.

According to PT Swarm, this enables them to encode and exfiltrate sensitive files such as /etc/passwd or configuration files used by applications like SimpleSAMLphp.

Key Exploitation Techniques:

1. Bypassing LIBXML_NONET: The flag intended to block external HTTP requests can be circumvented by replacing http:// with alternative PHP wrappers, such as php://filter/resource=http://.
2. Manipulating loadXML Behavior: Double usage of the loadXML function with specific flags like LIBXML_DTDLOAD allows attackers to retain malicious payloads across parsing stages.
3. Encoding Payloads: Filters like convert.base64-encode are used to sanitize illegal characters in file contents while preparing them for exfiltration.
4. DNS-Based Exfiltration: In cases where outbound TCP connections are blocked, attackers can transmit stolen data via DNS queries.

One notable example of this vulnerability was discovered in SimpleSAMLphp, a widely used authentication library.

The flaw allowed attackers to read configuration files, extract private keys, and forge assertions, effectively bypassing authentication mechanisms configured for Identity Providers.

This exploit did not require prior authentication and posed a significant risk to applications relying on SimpleSAMLphp.

Moreover, the research highlights that similar vulnerabilities may exist in other libraries or systems utilizing PHP’s XML parsing functions.

A separate report on another vendor is pending disclosure once the issue is resolved.

To address this vulnerability:

• Developers should ensure that the LIBXML_NO_XXE flag (introduced in PHP 8.4.0) is enabled.
• Avoid setting flags like LIBXML_DTDLOAD, LIBXML_DTDATTR, or LIBXML_NOENT unless absolutely necessary.
• Validate and sanitize all user-provided XML inputs rigorously before processing them.
• Consider disabling error outputs that might leak sensitive information during exploitation attempts.

While these measures can minimize risk, the complexity of bypass techniques underscores the importance of adopting secure coding practices and staying updated on emerging threats.

This discovery serves as a reminder of the evolving nature of web application security challenges and the need for continuous vigilance in securing software ecosystems.

Also Read: