Please give me a hint why my code is NOT vulnerable to XXE.
code:
$text = $_POST['textarea'];
$doc= new DOMDocument();
$doc->loadXML($text);
echo $doc->textContent;
testcase 1:
<justsomexmltag>Hello world</justsomexmltag>
result 1:
Hello world
So far so good. However, when I'm trying to inject XML code to retrieve a local file's content:
<?xml version="1.0"?>
<!DOCTYPE log [
<!ENTITY ent SYSTEM "test.txt">
]>
<log><text>&ent;</text></log>
then nothing is printed. "test.txt" is on the same level in the file structure as the php file where I carry out the attack. I have tried
<!ENTITY ent SYSTEM file:///"test.txt">
as well as
<!ENTITY ent SYSTEM file:///full path to the file>
but to no avail.
test.txt:
This is just a test.
Have tried:
<test>This is just a test.</test>
no results.
Any hints?
reflecting @Paul Crovella, here's an edit:
CP-ing your code resulted in:
DOMDocument::loadXML(): I/O warning : failed to load external entity file:// full path to file name
DOMDocument::loadXML(): Failure to process entity ent in Entity
DOMDocument::loadXML(): Entity 'ent' not defined in Entity