CVE-2023-3823: Unintended Cross-Library State Side-Effects Cause XML External Entity Vulnerability in PHP

A serious vulnerability has been discovered in PHP, affecting versions 8..* before 8..30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8. The vulnerability, which has been assigned the identification number CVE-2023-3823, is related to the way PHP handles global state tracking of configuration variables within the libxml library. If exploited, this vulnerability can lead to unintended disclosure of sensitive information, such as local files accessible to PHP.

The problem arises due to the following code snippet in PHP's XML functions

/* ... */
xmlSetExternalEntityLoader(OPTION_EXTERNAL_ENTITY_LOADER);
/* ... */

This code sets and relies on a global state within the libxml library, which is then assumed to be unchanged until the user explicitly alters it with the appropriate function.

Original References

- Official PHP bug report
- PHP's XML functions documentation
- libxml library documentation
- ImageMagick library documentation

Exploit Details

The vulnerability is caused by an unintended collision of global states between PHP and other libraries, such as ImageMagick, that may use the same libxml library within a PHP process. When these other libraries change libxml's global state for their own internal purposes, PHP's XML functions may unknowingly operate in a state where external entities are loaded, creating a potential XML External Entity (XXE) vulnerability:

Victim's PHP process uses the affected XML functions to parse the attacker's XML file.

3. Due to the modified global state, external entities are loaded, potentially causing sensitive information to be disclosed.

This vulnerable state may persist across numerous requests within the same PHP process until the process is shut down. Consequently, it is of critical importance that developers using the affected versions of PHP take immediate action to prevent potential exploitation of this vulnerability.

To protect your PHP applications from this vulnerability, you should

1. Upgrade to the latest PHP version (8..30, 8.1.22, or 8.2.8), which contains the necessary fixes for this issue.
2. If upgrading is not feasible, consider adjusting your PHP configuration to disable external entities loading in XML by default.
3. Conduct thorough security reviews and penetration testing to ensure that your PHP environment is secured against potential threats.

Conclusion

CVE-2023-3823 highlights the importance of tracking and addressing security vulnerabilities in the libraries and dependencies used by your programming environments. PHP developers should be diligent in upgrading to the latest, secure versions of PHP and take proactive measures to protect their applications from potential exploits.

Timeline

Published on: 08/11/2023 06:15:00 UTC
Last modified on: 08/22/2023 20:07:00 UTC