search

nuovo / spreadsheet-reader

A PHP spreadsheet reader (Excel XLS and XLSX, OpenOffice ODS, and variously separated text files) with a singular goal of getting the data out, efficiently
http://www.nuovo.lv/
Other
674 stars 497 forks source link

Arbitrary file read vulnerability #169

Open liquidsec opened 3 years ago

liquidsec commented 3 years ago

I am a pentester, test.php produced an arbitrary file read vulnerability for one of my clients. We were able to read files all over the filesystem and gained access to sensitive keys, source code, etc by using directory traversal characters with the File parameter. Contents of the file get chopped into arrays but are nonetheless present.

americo commented 3 years ago

Hi liquidsec, can you give a PoC of this ? I'm pentester too, and my client is using it.

RonnyDo commented 2 years ago

I am a pentester, test.php produced an arbitrary file read vulnerability for one of my clients. We were able to read files all over the filesystem and gained access to sensitive keys, source code, etc by using directory traversal characters with the File parameter. Contents of the file get chopped into arrays but are nonetheless present.

Can confirm this. The "File" parameter can be altered to point to arbitrary locations even outside of the applications scope.

RonnyDo commented 6 months ago

The vulnerability got officially registered under CVE-2023-29887 🐞