Описание
XXE in PHPSpreadsheet encoding is returned
Summary
Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack)
Details
Check $pattern = '/encoding="(.*?)"/'; easy to bypass. Just use a single quote symbol '. So payload looks like this:
If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute.
PoC
- Create simple xlsx file
- Rename xlsx to zip
- Go to the zip and open the
xl/sharedStrings.xmlfile in edit mode. - Replace
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>to
- Save
sharedStrings.xmlfile and rename zip back to xlsx. - Use minimal php code that simply opens this xlsx file:
- You will receive the request to your
http://%webhook%/file.dtd - Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.
Impact
Read local files
Пакеты
phpoffice/phpspreadsheet
< 1.29.1
1.29.1
phpoffice/phpspreadsheet
>= 2.2.0, < 2.2.1
2.2.1
phpoffice/phpspreadsheet
>= 2.0.0, < 2.1.1
2.1.1
phpoffice/phpexcel
<= 1.8.2
Отсутствует
Связанные уязвимости
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even if error reporting is muted. This vulnerability has been addressed in release version 2.2.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.