The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.
Threat Mapped score: 1.5
Industry: Finiancial
Threat priority: P4 - Informational (Low)
CVE: CVE-2008-3281
XEE in XML-parsing library.
CVE: CVE-2011-3288
XML bomb / XEE in enterprise communication product.
CVE: CVE-2011-1755
"Billion laughs" attack in XMPP server daemon.
CVE: CVE-2009-1955
XML bomb in web server module
CVE: CVE-2003-1564
Parsing library allows XML bomb
N/A
| Phase | Note |
|---|---|
| Implementation | N/A |
| Operation | N/A |
Intro: The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.
<?xml version="1.0"?> <!DOCTYPE MaliciousDTD [ <!ENTITY ZERO "A"> <!ENTITY ONE "&ZERO;&ZERO;"> <!ENTITY TWO "&ONE;&ONE;"> ... <!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;"> ]> <data>&THIRTYTWO;</data>