XML External Entity injection within the body of a document

Question

If you Google for an example of XXE injection you get something like this:

<?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE foo [  
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>

where the attack is carried out from within the DTD - so at the very top of a document.

Is it instead possible to inject XML External Entities from within the body of an XML document rather than its DTD and, if so, how?

EDIT: As an example, we have a system that generates XML documents with some user-provided data from a database. The system does escape those values using CDATA but doesn't do anything else to it, so you (as a - malicious - user) could easily store some data to close the CDATA section and write XML. So long as the XML is correct and passes some XSD validation, the system is a happy system.

EDIT: Could xs:import (or similar) be used?

Answer 1

You should be OK, if the XML parser is compliant. Per the XML 1.1 spec,

The document type declaration MUST appear before the first element in the document.

However, it wouldn't be unheard of for an XML parser to fail to enforce this restriction. An XML doc with a <!DOCTYPE tag following the first element would not be well-formed, but might still be treated as though it were by some parsers, in the same way that malformed HTML is often tolerated by browsers.

Additionally, an attacker could close the entire XML document, and start a new one. The new one would not have any elements in it yet, so the doctype could be put in its correct location. The question then would be, what does your parser do with two (well-formed) documents when it only expected one?