-
Notifications
You must be signed in to change notification settings - Fork 15
XXE injection is possible via specially crafted excel file #10
Comments
Hi Evgeny, Thanks for highlighting that vulnerability. Just to note that this project was never released to CPAN, hasn't been worked on since April 2012, and is effectively abandoned. There are maintained solutions such as Spreadsheet::ParseXLSX that people should be using instead. John |
Hi John, Thanks for clarification. I just came across the bug in several projects that were using this module for xlsx processing. Just wanted to leave the report here for those who will possibly use code as a reminder that they will need to fix the issue themselves. Evgeny |
Thanks. Is there a workaround for this issue? |
It should be something like
during XML parser init. Sure, I can send a PR, but it'll take some time because I'm not a Perl developer at all =) |
I've pushed a fix for this to master. If you encounter users with this vulnerability you can ask them to upgrade or better still to use a supported module. Either way, thank you for the report. |
@luc-lynx Where to add this payload in excel files kindly make a video for it. Using Linux LibreOffice. Also Office other files Word,PP, ETC. |
The module is vulnerable to XXE injection that allows to read local files, make network requests etc.
How to reproduce the issue:
xl/sharedStrings.xml
like in the attached fileAs a result you'll see the content of your local
/etc/passwd
filetest2.xlsx
The text was updated successfully, but these errors were encountered: