GHSA-79xx-vf93-p7cx

Summary

The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.

Details

When generating the HTML from an xlsx file containing multiple sheets, a navigation menu is created. This menu includes the sheet names, which are not sanitized. As a result, an attacker can exploit this vulnerability to execute JavaScript code.

        // Construct HTML
        $html = '';

        // Only if there are more than 1 sheets
        if (count($sheets) > 1) {
            // Loop all sheets
            $sheetId = 0;

            $html .= '<ul class="navigation">' . PHP_EOL;

            foreach ($sheets as $sheet) {
                $html .= '  <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . $sheet->getTitle() . '</a></li>' . PHP_EOL;
                ++$sheetId;
            }

            $html .= '</ul>' . PHP_EOL;
        }

PoC

1. Create an XLSX file with multiple sheets :

2. Generate the HTML content

   <?php
       require __DIR__ . '/vendor/autoload.php';
   
       $inputFileName = 'payload.xlsx';
       $spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName);
       $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
       $writer->writeAllSheets();
       echo $writer->generateHTMLAll();
   ?>
   

3. Enjoy

Impact

XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. Example of impacts :

• Disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account (Only if HttpOnly cookie's flag is set to false).
• Redirecting the user to some other page or site (like phishing websites)
• Modifying the content of the current page (add a fake login page that sends credentials to the attacker).
• Automatically download malicious files.
• Requests access to the victim geolocation / camera.
• ...