CWE - 611 : Information Leak Through XML External Entity File Disclosure
CWE Definition
|
http://cwe.mitre.org/data/definitions/611.html
|
Number of vulnerabilities:
|
799
|
Description
|
The product processes an XML document that can contain XML
entities with URLs that resolve to documents outside of the intended sphere of
control, causing the product to embed incorrect documents into its
output.XML documents optionally contain a Document Type Definition (DTD), which,
among other features, enables the definition of "XML entities". It is
possible to define an entity locally by providing a substitution string in
the form of a URL whose content is substituted for the XML entity when the
DTD is processed. The attack can be launched by defining an XML entity whose
content is a file URL (which, when processed by the receiving end, is mapped
into a file on the server), that is embedded in the XML document, and thus,
is fed to the processing application. This application may echo back the
data (e.g. in an error message), thereby exposing the file contents. |
Background Details
|
|
Other Notes
|
It's important to note that a URL can have non-HTTP schemes, especially,
that a URL such as "file:///c:/winnt/win.ini" designates (in Windows) the
file C:\Winnt\win.ini. Similarly, a URL can be used to designate any file on
any drive. |
|
|
Warning! CWE definitions are provided as a quick reference. They are
not complete and may not be up to date!
You must visit
http://cwe.mitre.org/ for a complete list of CWE entries
and for more details.