CVE-2015-8866 in PHP
Summary
by MITRE
ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/21/2022
The vulnerability identified as CVE-2015-8866 represents a critical thread safety issue within PHP's libxml library implementation when operating in PHP-FPM environments. This flaw exists in PHP versions prior to 5.5.22 and 5.6.x prior to 5.6.6, where the library fails to properly isolate thread contexts when managing entity loader settings. The core problem manifests when multiple threads share the same libxml context, allowing malicious actors to manipulate entity loading behavior across different execution threads through a single crafted XML document.
The technical exploitation of this vulnerability stems from PHP's improper handling of libxml_disable_entity_loader function calls within multi-threaded environments. When PHP-FPM manages concurrent requests, each request typically operates within its own thread context, but the libxml library maintains global state that affects all threads sharing the same process. This creates a scenario where an attacker can disable entity loading in one thread, potentially affecting other threads that may be processing different requests or XML documents. The flaw enables attackers to construct malicious XML payloads that can trigger both XML External Entity (XXE) and XML Entity Expansion (XEE) attacks simultaneously, making it particularly dangerous in web application contexts where XML processing is common.
The operational impact of this vulnerability extends beyond simple data exfiltration or denial of service attacks. Attackers can leverage this weakness to perform server-side request forgery attacks, access local files through file inclusion vulnerabilities, or consume excessive system resources through entity expansion attacks. The vulnerability specifically affects applications that process XML data through PHP's libxml functions, which are commonly used in web services, API endpoints, and data processing applications. Given that PHP-FPM is widely deployed in production environments, this vulnerability creates a significant risk for organizations running affected PHP versions, potentially allowing attackers to gain unauthorized access to sensitive system resources or compromise entire application stacks.
Organizations should prioritize immediate patching of affected PHP installations to address this thread safety issue. The recommended mitigation involves upgrading to PHP versions 5.5.22 or 5.6.6 and later, which contain the necessary fixes to properly isolate thread contexts within the libxml library. Additionally, administrators should implement proper input validation and sanitization for all XML processing functions, particularly when dealing with untrusted data sources. The vulnerability aligns with CWE-362, which describes concurrent execution using shared resource vulnerabilities, and maps to ATT&CK technique T1213.002 for data from information repositories, highlighting the importance of proper resource isolation in multi-threaded environments. Security teams should also consider implementing network-level protections such as XML firewalls or content filtering mechanisms to provide additional defense-in-depth layers against exploitation attempts.