PHPExcel/PhpSpreadsheet has a logical error that leads to a dead loop problem #3807
Comments
|
Thank you for the report and the excellent documentation. Expect a solution for PhpSpreadsheet within a day or two. PHPExcel is no longer maintained and will not be fixed. |
oleibman
added a commit
to oleibman/PhpSpreadsheet
that referenced
this issue
Dec 2, 2023
Fix PHPOffice#3807. Function attempts to rationalize `..` in filenames in a way that normally works just fine. Reporter notes that at least one of the filenames that will be analyzed when a spreadsheet is read can be maliciously altered in a manner which does not harm Excel when reading the file, but which puts PhpSpreadsheet into a loop. This PR fixes the problem.
11 tasks
oleibman
added a commit
that referenced
this issue
Dec 5, 2023
Fix #3807. Function attempts to rationalize `..` in filenames in a way that normally works just fine. Reporter notes that at least one of the filenames that will be analyzed when a spreadsheet is read can be maliciously altered in a manner which does not harm Excel when reading the file, but which puts PhpSpreadsheet into a loop. This PR fixes the problem.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Affected Product Versions:
PHPExcel: <= 1.8.2
PhpSpreadsheet : <= 1.29.0
Vulnerability Description
This vulnerability arises from a logic flaw present in the affected products, allowing attackers to trigger an infinite loop through specific conditions. In versions of Product PHPExcel up to and including 1.8.2 and Product PhpSpreadsheet up to and including 1.29.0, an attacker can exploit this vulnerability to significantly increase CPU usage, ultimately rendering the Web service unavailable.
Recurrence of vulnerabilities
The following is the usage rate of cups for normal requests to web services
Creating malicious payload files,
Any normal Excel file, modify xl_ Rels \ workbook.xml.rels content,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml/../../../../../../../../1.txt"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/worksheet" Target="worksheets/sheet1.xml"/></Relationships>Uploading malicious files and requesting data packets that have not been responded to, a dead loop has occurred at this point,
View the current CPU usage rate,
Send two more requests and you can see an instant increase in cup usage,
Code reproduction
Unset only destroys array elements, but does not re index the array,
The condition that causes the while loop to persist,
Repair suggestions
Re index the array, below is the reference code
$pathArray = array_values($pathArray);
PhpSpreadsheet code analysis
The text was updated successfully, but these errors were encountered: