An appropriately placed attacker can upload a ZIP file with XML files within it. If these XML files contain the payload from billion laughs attack (https://en.wikipedia.org/wiki/Billion_laughs_attack), a denial of service scenario can be created.
Remediation
Before loading the XML into memory, use libxml_disable_entity_loader(true); to ensure no entities can affect your import
The text was updated successfully, but these errors were encountered:
Issue
An appropriately placed attacker can upload a ZIP file with XML files within it. If these XML files contain the payload from billion laughs attack (https://en.wikipedia.org/wiki/Billion_laughs_attack), a denial of service scenario can be created.
Remediation
Before loading the XML into memory, use
libxml_disable_entity_loader(true);to ensure no entities can affect your importThe text was updated successfully, but these errors were encountered: