CVE-2024-45293 in PhpSpreadsheet
Summary
by MITRE • 10/07/2024
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. The security scan function in src/PhpSpreadsheet/Reader/Security/XmlScanner.php contains a flawed XML encoding check to retrieve the input file's XML encoding in the toUtf8 function. The function searches for the XML encoding through a defined regex which looks for `encoding="*"` and/or `encoding='*'`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the = in the attribute definition. Sensitive information disclosure through the XXE on sites that allow users to upload their own excel spreadsheets, and parse them using PHPSpreadsheet's Excel parser. This issue has been addressed in release versions 1.29.1, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/11/2024
The vulnerability identified as CVE-2024-45293 affects PHPSpreadsheet, a widely-used pure PHP library for handling spreadsheet files. This security flaw specifically targets the XLSX reader component's XML security scanning mechanism, creating a critical pathway for unauthorized information disclosure. The vulnerability stems from a design flaw in the XmlScanner.php file located at src/PhpSpreadsheet/Reader/Security/XmlScanner.php, where the security measures intended to prevent XML External Entity (XXE) attacks can be circumvented through subtle XML structure modifications. The core issue lies within the toUtf8 function's implementation of XML encoding detection, which employs a regular expression pattern to identify encoding declarations in the form of `encoding=""` or `encoding=''`. This detection mechanism fails to account for variations in whitespace placement around the equals sign in XML attribute definitions, allowing attackers to manipulate the parsing behavior.
The technical exploitation of this vulnerability relies on the manipulation of XML encoding declarations through whitespace characters that are typically ignored during normal parsing but can be leveraged to bypass the intended security checks. When an attacker crafts a malicious XLSX file with UTF-7 encoded XXE payloads, they can insert whitespace before or after the equals sign in the encoding attribute definition, causing the regex pattern to fail in identifying the actual encoding specification. This failure results in the system defaulting to UTF-8 encoding detection, which bypasses the conversion logic that would normally prevent the execution of malicious XXE content. The vulnerability creates a direct pathway for sensitive information disclosure when servers permit user uploads of Excel files that are subsequently parsed using PHPSpreadsheet's Excel parser, as the security scanner cannot properly identify and neutralize the crafted payloads. This weakness aligns with CWE-611 (Improper Restriction of XML External Entity Reference) and represents a specific implementation flaw in XML parsing security controls.
The operational impact of CVE-2024-45293 extends beyond simple information disclosure to potentially compromise entire server environments through XXE attack vectors. Servers that allow user-uploaded Excel files and subsequently parse them using PHPSpreadsheet become vulnerable to attacks that could access server files, internal network resources, or sensitive data stored on the hosting system. The vulnerability affects multiple versions of PHPSpreadsheet, with remediation available in releases 1.29.1, 2.1.1, and 2.3.0, indicating that this issue has been recognized as a critical security concern requiring immediate attention. Organizations utilizing PHPSpreadsheet for processing user-uploaded spreadsheet files face significant risk, as the vulnerability can be exploited without requiring special privileges or advanced technical skills from attackers. The lack of known workarounds for this vulnerability means that affected systems must be upgraded to patched versions to achieve proper protection against XXE attacks. This issue demonstrates the importance of robust input validation and security scanning mechanisms in file processing libraries, particularly those handling structured data formats like XML-based spreadsheet files. The ATT&CK framework categorizes this vulnerability under T1566 (Phishing with Malicious Attachments) and T1059 (Command and Scripting Interpreter) as attackers could leverage this weakness to execute malicious payloads through seemingly legitimate spreadsheet uploads, potentially leading to further compromise of systems and data exfiltration.