Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01MzRjLWhjcjctNjdqZ84AA_m3
Kimai has an XXE Leading to Local File Read
Summary
Kimai uses PHPSpreadsheet for importing and exporting invoices. Recently, a CVE was identified in PHPSpreadsheet, which could lead to an XXE vulnerability.
Details
Exploitation requires an Administrator account, allowing the upload of an XLSX template containing the payload. The vulnerability is triggered by the following code snippet:
// https://github.com/kimai/kimai/blob/b1903ba18359be16dd32ea9c40377c486498f082/src/Invoice/Renderer/AbstractSpreadsheetRenderer.php#L41
public function render(InvoiceDocument $document, InvoiceModel $model): Response
{
$spreadsheet = IOFactory::load($document->getFilename());
$worksheet = $spreadsheet->getActiveSheet();
$entries = $model->getCalculator()->getEntries();
$sheetReplacer = $model->toArray();
$invoiceItemCount = \count($entries);
if ($invoiceItemCount > 1) {
$this->addTemplateRows($worksheet, $invoiceItemCount);
}
}
The IOFactory::load function utilizes simplexml_load_string, which has previously been demonstrated to be vulnerable to XXE attacks.
While this is not directly an XXE in Kimai, it does however impact the latest stable version.
PoC
By uploading a malicious XLSX template, the payload will be triggered every time an invoice is generated.
<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "php://filter/......." > %xxe;]>.....
For a better a visibility, I will upload both a:
- Malicious template sample for testing
- An exported invoice, showing the contents of target file during the export.
Impact
Local File Read / RCE in edge cases where phar:// can be utilized with gadget chains .
export.xlsx
sample_template.xlsx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01MzRjLWhjcjctNjdqZ84AA_m3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 3 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-534c-hcr7-67jg
References:
- https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7
- https://github.com/kimai/kimai/security/advisories/GHSA-534c-hcr7-67jg
- https://github.com/kimai/kimai/commit/3204dcb03e1003dba90178667a4667ce3edb87b5
- https://github.com/advisories/GHSA-534c-hcr7-67jg
Blast Radius: 7.8
Affected Packages
packagist:kimai/kimai
Dependent packages: 1Dependent repositories: 16
Downloads: 4,559 total
Affected Version Ranges: <= 2.20.1
Fixed in: 2.21.0
All affected versions: 0.6.1, 0.8.1, 1.0.1, 1.1.0, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.4.1, 1.4.2, 1.6.1, 1.6.2, 1.10.1, 1.10.2, 1.11.1, 1.14.1, 1.14.2, 1.14.3, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 1.15.6, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 1.16.5, 1.16.6, 1.16.7, 1.16.8, 1.16.9, 1.16.10, 1.17.1, 1.18.1, 1.18.2, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.19.5, 1.19.6, 1.19.7, 1.20.1, 1.20.2, 1.20.3, 1.20.4, 1.21.0, 1.22.0, 1.22.1, 1.23.0, 1.23.1, 1.24.0, 1.25.0, 1.26.0, 1.27.0, 1.28.0, 1.28.1, 1.29.0, 1.29.1, 1.30.0, 1.30.1, 1.30.2, 1.30.3, 1.30.4, 1.30.5, 1.30.6, 1.30.7, 1.30.8, 1.30.9, 1.30.10, 1.30.11, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.20, 2.0.21, 2.0.22, 2.0.23, 2.0.24, 2.0.25, 2.0.26, 2.0.27, 2.0.28, 2.0.29, 2.0.30, 2.0.31, 2.0.32, 2.0.33, 2.0.34, 2.0.35, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.11.0, 2.12.0, 2.13.0, 2.14.0, 2.15.0, 2.16.0, 2.16.1, 2.17.0, 2.18.0, 2.19.0, 2.19.1, 2.20.0, 2.20.1
All unaffected versions: 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0, 2.26.0, 2.27.0