Description

Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet

Summary

The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.

Details

When generating the HTML from an xlsx file containing multiple sheets, a navigation menu is created. This menu includes the sheet names, which are not sanitized. As a result, an attacker can exploit this vulnerability to execute JavaScript code.

        // Construct HTML
        $html = '';

        // Only if there are more than 1 sheets
        if (count($sheets) > 1) {
            // Loop all sheets
            $sheetId = 0;
...
Show more

PoC

Create an XLSX file with multiple sheets :

Generate the HTML content

<?php
	require __DIR__ . '/vendor/autoload.php';

	$inputFileName = 'payload.xlsx';
	$spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName);
	$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
	$writer->writeAllSheets();
	echo $writer->generateHTMLAll();...
Show more

Enjoy

Impact

XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. Example of impacts :

Disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account (Only if HttpOnly cookie's flag is set to false).

Redirecting the user to some other page or site (like phishing websites)

Modifying the content of the current page (add a fake login page that sends credentials to the attacker).

Automatically download malicious files.

Requests access to the victim geolocation / camera.

...

Mitigation

Aliases

References