Innovate faster and cut risk with PHP experts from Zend Services.
Explore Services
See How Zend Helps Leading Hosting Providers Keep Their Managed Sites on Secure PHP
Read More
Learn PHP from PHP experts with free, on-demand, and instructor led courses.
Explore Training
Submit support requests and browse self-service resources.
Explore Support
XML External Entity vector
PHP's various XML functions rely on libxml global state to track configuration variables, including whether external entities are loaded. Any given request can change that state, and those changes then persist as long as the process continues running. Because of this, when other modules, such as ImageMagick, use the library in the same process, they can potentially change that state for their own purposes, affecting any other usage of libxml within the process (e.g. for processing XML via the DOM functionality). If they were to enable external entities, but the application assumes that external entity loading is disabled, this can lead to an XML eXternal Entity (XXE) vector, which could potentially disclose file accessibility and/or contents from the local filesystem.
If you use any XML functionality in PHP, we highly recommend upgrading your PHP version to one that has been patched.
If you cannot update immediately, we recommend disabling external entity loading immediately prior to operations that would parse XML (e.g. using DOMDocument::load(), DOMDocument::loadXML(), XMLReader::open(), simplexml_load_file(), etc.). You can do this via the following: libxml_set_external_entity_loader(null).
DOMDocument::load()
DOMDocument::loadXML()
XMLReader::open()
simplexml_load_file()
libxml_set_external_entity_loader(null)
Direct link to CVE-2023-3823 >
< View all CVEs
