PHPOffice PhpSpreadsheet before 1.8.0 Improper Restriction of XML External Entity Reference Vulnerability

Summary

PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. 

Credit:

The information has been provided by Daniel Hoffmann

The original article can be found at:https://herolab.usd.de/security-advisories/usd-2019-0046/

 


Details

This was a security measure to prevent the vulnerability but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ?<!ENTITY? and thus allowing for an xml external entity processing (XXE) attack.

 

Vulnerable Systems:

PHPOffice PhpSpreadsheet before 1.8.0 

 

CVE Information:

CVE-2019-12331

 

Disclosure Timeline:
Published Date:11/7/2019