XXE's are awful. You wouldn't think that simply by parsing an XML file --- something so simple people are tempted to do it with regexes --- you'd be invoking machinery that translates the XML language and binds it to, in effect, scripting language features. But that's what you're doing when you use common XML libraries!<p>For applications on mainstream stacks, if you accept XML inputs (explicitly accept them, that is; as in, invoke the XML parser yourself) and haven't taken the time to make sure you're not expanding entities, the safest bet is to assume that your XML parser has a "let inbound XML run shell commands" feature embedded into it. That's an oversimplification, but maybe not much of one.<p>This is a great, subtle finding. And Reginaldo handled it like a pro. Let the feeding frenzy for hiring Reginaldo Silva... commence! :)
Hi HN, I'm the one who found the bug. My writeup is at <a href="http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution" rel="nofollow">http://www.ubercomp.com/posts/2014-01-16_facebook_remote_cod...</a>. I'd be glad to answer any questions. I won't disclose the amount for now because I want to know what people think this would be worth, but eventually it will be disclosed. If you run an OpenID-enabled server now it's a great time to make sure your implementation is patched.
The fact that Facebook is paying $33,000 for a remote code execution bug might one of the big reasons that it's the biggest bug that's been reported to them.
I wonder whether the non-malicious applications of XML external entities outnumber the malicious applications.<p>Any HNers want to chime in with an account of actually using them for what they're meant for?
/Leaving aside XML techno babble/:<p>>>>
...
We knew we wanted to pay out a lot because of the severity of the issue, so we decided to average the payout recommendations across a group of our program administrators. As always, we design our payouts to reward the hard work of researchers who are already inclined to do the right thing and report bugs to the affected vendors.
...
>>><p>So, instead of awarding bounty to the researcher who found and intelligently handled the disclosure of the issue, Facebook "decided to average the payout" in order to keep part of the bounty to themselves, rewarding themselves for "hard work" and glorifying themselves for "awarding our biggest bug bounty payout ever" ?
XXE's are nasty. Back in the early 2000's I found every single Java RSS parsers (pack then that was an important thing) was vulnerable.<p>I submitted patches for them all, but it was kinda nasty to fix in Java, because each XML parser had different custom properties to set. <a href="https://github.com/rometools/rome/blob/master/src/main/java/com/sun/syndication/io/WireFeedInput.java#L311" rel="nofollow">https://github.com/rometools/rome/blob/master/src/main/java/...</a> is the hackiness I had to do for ROME.
This was in PHP but the problem exists in most languages. For all of you python programmers out there check out defusedxml and use it. They have a good explanation of many of the dangers in XML parsing:<p><a href="https://pypi.python.org/pypi/defusedxml" rel="nofollow">https://pypi.python.org/pypi/defusedxml</a>