We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.
Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41
LIBXML_DTDLOAD | LIBXML_DTDATTR
$options
To be published on Dec 8.
ahacker1-securesaml Reporter
Summary
When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.
Mitigation:
Remove the
LIBXML_DTDLOAD | LIBXML_DTDATTRoptions from$optionsis in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41Background / details
To be published on Dec 8.