Reflected cross-site scripting (XSS) In phpoffice/phpexcel
Description
PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters
Product: PhpSpreadsheet
Version: 3.8.0
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)
Description: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link
Impact: executing arbitrary JavaScript code in the browser
Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateRow
Exploitation conditions: a user viewing a specially generated xml file
Mitigation: additional sanitization of special characters in a string
Researcher: Igor Sak-Sakovskiy (Positive Technologies)
Research
The researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet. The following code is written on the server, which translates the XML file into an HTML representation and displays it in the response.
Listing 4. Source code on the server
<?php require __DIR__ . '/vendor/autoload.php'; $inputFileType = 'Xml'; $reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader($inputFileType); $inputFileName = './doc/file.xml';...
The contents of the xml file - ./doc/file.xml
Listing 5. The contents of the xml file
<?xml version="1.0"?> <?mso-application progid="Excel.Sheet"?> <Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:html="http://www.w3.org/TR/REC-html40"> <DocumentProperties xmlns="urn:schemas-microsoft-com:office:office"> ...
Due to the load with a special character in front of the javascript protocol, the execution flow hits line 1595, not 1593.
Figure 4. Generating a link bypassing a regular expression
In the response from the server, you can see which special character is located in front of the javascript protocol after conversion.
Figure 5. Response from the server with a special character
When viewing the rendered result, a link becomes visible in the browser, and when clicked, the embedded JavaScript code will be executed.
Figure 6. Executing JavaScript code
Credit
Igor Sak-Sakovskiy (Positive Technologies)
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 packagist | - | ||
packagist | 3.9.0, 1.29.9, 2.3.7, 2.1.8 |
Aliases
References