Description
The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.
Modes of Introduction:
– Implementation
Likelihood of Exploit: Medium
Related Weaknesses
Consequences
Availability: DoS: Resource Consumption (Other)
If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources.
Potential Mitigations
Phase: Operation
Effectiveness:
Description:
If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.
Phase: Implementation
Effectiveness:
Description:
Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.
CVE References
- CVE-2008-3281
- XEE in XML-parsing library.
- CVE-2011-3288
- XML bomb / XEE in enterprise communication product.
- CVE-2011-1755
- “Billion laughs” attack in XMPP server daemon.
- CVE-2009-1955
- XML bomb in web server module
- CVE-2003-1564
- Parsing library allows XML bomb