Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross-site Scripting in PHPOffice/PhpSpreadsheet #886

Closed
wants to merge 3 commits into from

Conversation

nikkolai14
Copy link
Contributor

@nikkolai14 nikkolai14 commented Nov 7, 2020

✍️ Description

PHPOffice/PhpSpreadsheet is a library written in pure PHP and offers a set of classes that allow you to read and write various spreadsheet file formats such as Excel and LibreOffice Calc.

This Package is vulnerable to Cross-site Scripting when creating an html output from excel file.

🕵️‍♂️ Proof of Concept

  1. Setup Project
  2. Create an excel file -> Insert Comment -> Insert Payload <script>alert(1)</script>
  3. Move the file to the project dir
  4. Create a php file with filename convert-excel-to-html.php -> Insert code below
<?php

require './vendor/autoload.php';

use PhpOffice\PhpSpreadsheet\IOFactory;

$filename = 'INSERT_YOUR_EXCEL_FILE_HERE';

$spreadsheet = IOFactory::load('./'.$filename);
$writer = IOFactory::createWriter($spreadsheet, 'Html');

$filename = 'testxss.html';
$writer->save($filename);
  1. Open Project dir in terminal -> run command php convert-excel-to-html.php
  2. testxss.html html file will be generated in project root dir
  3. Open generated html file with filename testxss.htmlon Browser
  4. Verify that the payload will be triggered

💥 Impact

The attacker can inject any malicious script on the users browser

☎️ Contact

Nope

✅ Checklist

In my pull request, I have:

  • Created and populated the README.md and vulnerability.json files
  • Provided the repository URL and any applicable permalinks
  • Defined all the applicable weaknesses (CWEs)
  • Proposed the CVSS vector items i.e. User Interaction, Attack Complexity
  • Checked that the vulnerability affects the latest version of the package released
  • Checked that a fix does not currently exist that remediates this vulnerability
  • Complied with all applicable laws

@huntr-helper huntr-helper added the disclosure Vulnerability disclosure label Nov 7, 2020
@JamieSlome
Copy link
Contributor

@nikkolai14 - can you lowercase the directory to match the name of Package.Name?

Cheers! 🍰

@nikkolai14
Copy link
Contributor Author

@JamieSlome it is done, thanks

@JamieSlome JamieSlome added disclosure Vulnerability disclosure and removed disclosure Vulnerability disclosure labels Nov 24, 2020
@JamieSlome
Copy link
Contributor

@nikkolai14 - can you also please include the repository owner and name in the Repository object?

@bbeale
Copy link
Contributor

bbeale commented Nov 24, 2020

Looks like there may be a fix for this.

@JamieSlome
Copy link
Contributor

Closing as it looks like there has already been a fix!

Thanks, @nikkolai14! 🍰

@JamieSlome JamieSlome closed this Nov 24, 2020
@JamieSlome JamieSlome added discussion A discussion around a topic and removed discussion A discussion around a topic labels Nov 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
disclosure Vulnerability disclosure
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants