Description
XML supports a facility known as "external entities", which instruct an XML processor to retrieve and perform an inline include of XML located at a particular URI. An external XML entity can be used to append or modify the document type declaration (DTD) associated with an XML document. An external XML entity can also be used to include XML within the content of an XML document.
Now assume that the XML processor parses data originating from a source under attacker control. Most of the time the processor will not be validating, but it MAY include the replacement text thus initiating an unexpected file open operation, or HTTP transfer, or whatever system ids the XML
processor knows how to access.
below is a sample XML document that will use this functionality to include the contents of a local file (/etc/passwd)
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE acunetix [ <!ENTITY acunetixent SYSTEM "file:///etc/passwd"> ]> <xxx>&acunetixent;</xxx>
Remediation
If possible it's recommended to disable parsing of XML external entities.
References
CWE-611: Information Exposure Through XML External Entity Reference
Related Vulnerabilities
WordPress Plugin Simply Static Arbitrary File Download (1.6.2)
WordPress Plugin WP Import Export Lite Information Disclosure (3.9.15)
WordPress Plugin U Extended Comment 'fileurl' Parameter Arbitrary File Download (1.0.1)
WordPress Plugin IBS Mappro Arbitrary File Download (0.6)
WordPress Plugin IP Blacklist Cloud Arbitrary File Disclosure (3.42)