CVE-2024-45290 in PhpSpreadsheet
Summary
by MITRE • 10/08/2024
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided path is a URL. By using specially crafted `php://filter` URLs an attacker can leak the contents of any file or URL. Note that this vulnerability is different from GHSA-w9xv-qf98-ccq4, and resides in a different component. An attacker can access any file on the server, or leak information form arbitrary URLs, potentially exposing sensitive information such as AWS IAM credentials. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/17/2024
The vulnerability identified as CVE-2024-45290 affects PHPSpreadsheet, a widely-used PHP library designed for reading and writing spreadsheet files in various formats including XLSX. This library is fundamental to many web applications that handle spreadsheet data, making it a critical component in the software supply chain. The flaw resides in how the library processes external media references within XLSX files, specifically when these references point to URLs rather than local file paths. When PHPSpreadsheet encounters a URL-based media reference, it attempts to retrieve and analyze the file contents to determine the image size and type, which creates an attack surface that can be exploited through maliciously crafted XLSX files.
The technical exploitation of this vulnerability leverages PHP's filter wrapper functionality through specially crafted php://filter URLs. This mechanism allows attackers to manipulate data streams and access file contents that would normally be protected or restricted. When the library processes these malicious URLs, it inadvertently executes the filter operations, enabling attackers to read arbitrary files from the server's file system or access data from external URLs. The vulnerability stems from insufficient input validation and sanitization of URL parameters within the media handling component of PHPSpreadsheet, creating a path traversal and information disclosure vector that can be leveraged for privilege escalation and data exfiltration.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can lead to complete system compromise when attackers gain access to sensitive server files. The ability to read any file on the server opens the door to extracting configuration files, database credentials, application source code, and potentially AWS IAM credentials that could be stored in accessible locations. This represents a severe threat to organizations using PHPSpreadsheet, particularly those that process user-uploaded spreadsheets without proper validation or sandboxing measures. The vulnerability is classified under CWE-20, which addresses improper input validation, and aligns with ATT&CK technique T1566 for spearphishing attachments, as attackers can craft malicious XLSX files to deliver this exploit.
Organizations using PHPSpreadsheet are strongly advised to upgrade to versions 1.29.2, 2.1.1, or 2.3.0, which contain the necessary patches to address this vulnerability. The fix implements proper URL validation and sanitization to prevent the exploitation of PHP's filter wrapper functionality. Security practitioners should also consider implementing network-level controls to restrict outbound connections from applications that process spreadsheet files, particularly when dealing with untrusted input. Additionally, organizations should conduct thorough security assessments of their applications that utilize PHPSpreadsheet to ensure proper input validation and sanitization mechanisms are in place. The vulnerability demonstrates the importance of secure coding practices and the potential risks associated with improper handling of external resources in web applications, particularly those that process user-supplied files containing references to external media.