Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

current webservices implementation is vulnerable to XXE/XEE attacks #2174

Closed
redguy666 opened this Issue · 1 comment

2 participants

@redguy666

XXE/XEE attacks are known for quite long time although they are not popular. They can lead to DoS or stealing local files from server with prepared XML requests containing custom XML entities defined.

Current WebService implementation passes request straight to php soap server, which may lead to exposing such vulnerabilities to public. We should patch this component similar to Zend and Symfony (commit #25031 in http://framework.zend.com/code/log.php?repname=Zend+Framework&path=%2Ftrunk%2Flibrary%2FZend%2FSoap%2FServer.php&rev=25031&peg=25176)

I can provide patch soon.

@redguy666 redguy666 referenced this issue from a commit in redguy666/yii
@redguy666 redguy666 patch for webservice XXE/XEE vulnerability
solves #2174
d66cc6a
@resurtm resurtm was assigned
@resurtm
Collaborator

I'll reopen this if it would be needed. See: #2177 (comment)

@resurtm resurtm closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.