Python : XML external entity (XXE) injection

XXE (XML eXternal Entity) attack is possible. An attacker can cause failures in the application work or gain access to sensitive data.

The modules xml.sax, xml.dom.pulldom for processing XML are not protected from malicious data. An attacker can exploit a vulnerability, for example, by denial of service attacks, to gain access to local files, create network connections to other machines, or to bypass firewalls.

XML provides a mechanism to enable including third-party files’ content into the file via the entity mechanism defined in the DTD (Document Type Definitions). If the external entity is defined in the XML header, the developer is able to use its contents in XML file. Herein validation of external entities at XML parsing phase is not performed.

If the application works with the XML file received from an untrusted source (for example, from the data entered by a user), the attacker is able to inject malicious or not provided by the application external entity into the XML file, and thus disrupt the functionality of the application.