One of the sample scripts in PhpSpreadsheet is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of input where a number is expected leading to formula injection.
$discriminantFormula = '=POWER(' . $_POST['B'] . ',2) - (4 * ' . $_POST['A'] . ' * ' . $_POST['C'] . ')';
$discriminant = Calculation::getInstance()->calculateFormula($discriminantFormula);
$r1Formula = '=IMDIV(IMSUM(-' . $_POST['B'] . ',IMSQRT(' . $discriminant . ')),2 * ' . $_POST['A'] . ')';
$r2Formula = '=IF(' . $discriminant . '=0,"Only one root",IMDIV(IMSUB(-' . $_POST['B'] . ',IMSQRT(' . $discriminant . ')),2 * ' . $_POST['A'] . '))';
1) & ("1)),1)&char(60)&char(105)&char(109)&char(103)&char(32)&char(115)&char(114)&char(99)&char(61)&char(120)&char(32)&char(111)&char(110)&char(101)&char(114)&char(114)&char(111)&char(114)&char(61)&char(97)&char(108)&char(101)&char(114)&char(116)&char(40)&char(41)&char(62)&POWER(((1") &n("1")&(1
I estimate that the impact for this project is relatively small as these are just the sample files and they should not be included when using the library correctly (i.e. from composed. However, there are at least 2 instances of popular WordPress plugins that have accidentally exposed this file by including the entire git repository. As these files also serve as reference points for developers using the library fixing this will hopefully result in better security for your users.
I have proposed a solution to solve the vulnerability below and would like to request that we get a CVE assigned here so that I can use this for responsibly disclosing the security issue to the affected WordPress plugins.
A quick and easy solution to prevent this attack is to force the parameters to be numerical values:
if (isset($_POST['submit'])) {
$_POST['A'] = floatval($_POST['A']);
$_POST['B'] = floatval($_POST['B']);
$_POST['C'] = floatval($_POST['C']);
if ($_POST['A'] == 0) {stealthcopter Reporter
Summary
One of the sample scripts in PhpSpreadsheet is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of input where a number is expected leading to formula injection.
Details
The following code in
45_Quadratic_equation_solver.phpconcatenates the user supplied parameters directly into spreadsheet formulas. This allows an attacker to take control over the formula and output unsanitized data into the page, resulting in JavaScript execution.PoC
45_Quadratic_equation_solver.phpin a browserbandc, and enter the following foraImpact
I estimate that the impact for this project is relatively small as these are just the sample files and they should not be included when using the library correctly (i.e. from composed. However, there are at least 2 instances of popular WordPress plugins that have accidentally exposed this file by including the entire git repository. As these files also serve as reference points for developers using the library fixing this will hopefully result in better security for your users.
I have proposed a solution to solve the vulnerability below and would like to request that we get a CVE assigned here so that I can use this for responsibly disclosing the security issue to the affected WordPress plugins.
Remediation
A quick and easy solution to prevent this attack is to force the parameters to be numerical values:
Thank you for your time!