CVE-2015-3907
📋 TL;DR
CVE-2015-3907 is an XML External Entity (XXE) vulnerability in CodeIgniter Rest Server 2.7.1 that allows attackers to read arbitrary files from the server, potentially leading to sensitive data exposure. This affects any application using the vulnerable version of the CodeIgniter Rest Server module. Attackers can exploit this by sending specially crafted XML requests to vulnerable endpoints.
💻 Affected Systems
- CodeIgniter Rest Server (codeigniter-restserver)
📦 What is this software?
Codeigniter Restserver by Codeigniter Restserver Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through file disclosure of sensitive configuration files (like database credentials), followed by potential remote code execution or data exfiltration.
Likely Case
Unauthorized reading of server files including configuration files, source code, and system files, leading to information disclosure and potential credential theft.
If Mitigated
Limited impact with proper input validation and XML parser configuration preventing external entity expansion.
🎯 Exploit Status
Exploitation requires sending XML requests to vulnerable endpoints. Public exploit code is available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.2 and later
Vendor Advisory: https://github.com/chriskacerguis/codeigniter-restserver/commit/763aac6c9d20a6a80c8dcd3f3d876e5b6c4b7c5f
Restart Required: No
Instructions:
1. Update to CodeIgniter Rest Server version 2.7.2 or later. 2. Replace the existing restserver directory with the updated version. 3. No application restart required for PHP applications.
🔧 Temporary Workarounds
Disable XML parsing
allDisable XML format support in the REST server configuration to prevent XXE attacks.
In application/config/rest.php set: $config['rest_default_format'] = 'json';
Remove 'xml' from $config['rest_supported_formats'] array
Configure XML parser securely
allModify the XML parser to disable external entity loading.
In application/libraries/Format.php, modify the _xml_parse() method to use: libxml_disable_entity_loader(true);
🧯 If You Can't Patch
- Implement WAF rules to block XML requests containing external entity declarations or DOCTYPE definitions.
- Monitor and filter incoming XML requests at the application level before they reach the vulnerable parser.
🔍 How to Verify
Check if Vulnerable:
Check if the application uses CodeIgniter Rest Server version 2.7.1 by examining the restserver directory version or composer.json.Check Version:
grep -r "version.*2.7.1" application/libraries/REST_Controller.php || cat application/libraries/REST_Controller.php | grep -i versionVerify Fix Applied:
Verify the version is 2.7.2 or later, and test XML parsing with external entities to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- XML parsing errors in application logs
- Unusual file access patterns from web server process
Network Indicators:
- HTTP POST/PUT requests with XML content containing DOCTYPE or ENTITY declarations
- Requests to sensitive file paths from web endpoints
SIEM Query:
web_method IN ('POST', 'PUT') AND content_type LIKE '%xml%' AND (url_decoded_content LIKE '%<!ENTITY%' OR url_decoded_content LIKE '%SYSTEM%')