Headline
GHSA-q9jv-mm3r-j47r: PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters
Bypass XSS sanitizer using the javascript protocol and special characters
Product: Phpspreadsheet
Version: version 3.6.0
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)
Description: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link
Impact: executing arbitrary JavaScript code in the browser
Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateRow
Exploitation conditions: a user viewing a specially generated Excel file
Mitigation: additional sanitization of special characters in a string
Researcher: Aleksey Solovev (Positive Technologies)
Research
The researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet.
The following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response.
Listing 6. Source code on the server
<?php
require __DIR__ . '/vendor/autoload.php';
$inputFileName = './doc/Book1.xlsx';
$spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName);
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());
An attacker can use special characters so that this library processes the javascript protocol with special characters and generates a HTML link.
The Excel file is unpacked and a hyperlink in the file is inserted into the xl/worksheets/sheet1.xml file.
Figure 11. Using the javascript protocol with special characters
Some payloads help bypass the security system and carry out a XSS attack.
Listing 7. HTML form that demonstrates the exploitation of the XSS vulnerability
jav	ascript:alert()
jav
ascript:alert()
jav
ascript:alert()
It’s clear that the javascript protocol with special characters is used.
Figure 12. Using the javascript protocol with special characters
Due to the special characters, the execution stream ends up on line 1543, and the link is built in HTML form with the javascript protocol.
<img width="373" alt="fig13" src="https://github.com/user-attachments/assets/3ca0c3c6-daa9-4502-ad9e-b803f308fd26" />
Figure 13. Executing arbitrary JavaScript code
Credit
This vulnerability was discovered by Aleksey Solovev (Positive Technologies)
Bypass XSS sanitizer using the javascript protocol and special characters
Product: Phpspreadsheet
Version: version 3.6.0
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)
Description: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link
Impact: executing arbitrary JavaScript code in the browser
Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateRow
Exploitation conditions: a user viewing a specially generated Excel file
Mitigation: additional sanitization of special characters in a string
Researcher: Aleksey Solovev (Positive Technologies)
Research
The researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet.
The following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response.
Listing 6. Source code on the server
<?php
require __DIR__ . '/vendor/autoload.php';
$inputFileName = './doc/Book1.xlsx';
$spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName);
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());
An attacker can use special characters so that this library processes the javascript protocol with special characters and generates a HTML link.
The Excel file is unpacked and a hyperlink in the file is inserted into the xl/worksheets/sheet1.xml file.
Figure 11. Using the javascript protocol with special characters
Some payloads help bypass the security system and carry out a XSS attack.
Listing 7. HTML form that demonstrates the exploitation of the XSS vulnerability
jav	ascript:alert()
jav
ascript:alert()
jav
ascript:alert()
It’s clear that the javascript protocol with special characters is used.
Figure 12. Using the javascript protocol with special characters
Due to the special characters, the execution stream ends up on line 1543, and the link is built in HTML form with the javascript protocol.
Figure 13. Executing arbitrary JavaScript code
Credit
This vulnerability was discovered by Aleksey Solovev (Positive Technologies)
References
- GHSA-q9jv-mm3r-j47r
- PHPOffice/PhpSpreadsheet@45052f8
- https://nvd.nist.gov/vuln/detail/CVE-2024-56412