Security issue with external entity loading in XML without enabling it

CVE-2023-3823

Summary

In specific versions of PHP, the XML functions incorrectly rely on a global state managed by libxml to handle configuration variables related to external entity loading. This state remains unchanged until altered by user functions, but because it is process-wide, other modules, such as ImageMagick, can modify it, potentially enabling external entity loading unintentionally. As a result, if an attacker can control the XML input passed to these functions, they may exploit this behavior to parse external XML while loading local entities. This could lead to the exposure of sensitive local files accessible to PHP, persisting across multiple requests within the same process until it is terminated.

News Articles

BNN Breaking

CVE-2023-3824CVE-2023-3823

Enhanced Security for Ubuntu Users: Key Updates Address Critical PHP Vulnerabilities

Explore the recent updates targeting critical vulnerabilities in PHP, enhancing digital security for Ubuntu users. Learn about CVE-2023-3823 and CVE-2023-3824, the impact of timely updates, and the broader implications for online security in today's interconnected world.

Information Security Newspaper

CVE-2023-3823CVE-2023-3824

Code exploiting two critical PHP(< 8.0.30) vulnerabilities published

Code exploiting two critical PHP(< 8.0.30) vulnerabilities published - Vulnerabilities - Information Security Newspaper | Hacking News

References