1. Bug Topic
Unsafe PHP deserialization in PhpOffice\PhpPresentation\Reader\Serialized::load().
2. Release Version / Commit Hash / Affected Range
Observed affected version in the provided target source: 0.6.0.
Affected range and commit hash are unknown from the minimal package. The issue is present in src/PhpPresentation/Reader/Serialized.php in the submitted source package.
3. Bug Type
Insecure deserialization / PHP object injection.
4. CWE
CWE-502: Deserialization of Untrusted Data.
5. Bug Summary
The serialized presentation reader reads PhpPresentation.xml from a presentation archive, base64-decodes the XML data element, and passes the result directly to PHP unserialize(). Because the archive content is attacker-controlled when applications accept uploaded presentation files, this allows arbitrary PHP object instantiation in the consuming application's process.
6. Root Cause
Reader\Serialized::loadSerialized() uses unrestricted unserialize():
$xmlData = simplexml_load_string($xmlContent);
$file = unserialize(base64_decode((string) $xmlData->data));
The expected return type does not prevent exploitation because PHP creates the object graph and invokes magic methods before the later type mismatch/fatal error occurs.
7. Attack Preconditions
- A consuming application accepts a presentation file from an untrusted user or external source.
- The application calls the PHPPresentation
Serialized reader on that file.
- Application or dependency classes are autoloadable and may contain useful magic methods.
8. Impact Analysis
The issue provides an attacker-controlled object instantiation primitive. Depending on application dependencies, it may lead to code execution through gadget chains, data modification, file writes, or denial of service. The provided PoC uses a benign local gadget that writes a marker file from __wakeup() to show that magic methods run during Reader\Serialized::load().
9. Affected Code
File: src/PhpPresentation/Reader/Serialized.php
Method: PhpOffice\PhpPresentation\Reader\Serialized::loadSerialized()
Relevant code:
$xmlContent = $oArchive->getFromName('PhpPresentation.xml');
$xmlData = simplexml_load_string($xmlContent);
$file = unserialize(base64_decode((string) $xmlData->data));
10. PoC
https://github.com/fa1c4/security-advisories/tree/main/PHPPresentation
Expected output:
[+] Reproduced: attacker-controlled serialized object was instantiated by Reader\Serialized::load().
[+] Marker: __wakeup reached
The PoC includes:
Serialized.php: the vulnerable target source file.
PoC.php: creates a crafted presentation archive and invokes the reader.
Dockerfile: runs the PoC in PHP with required zip and simplexml extensions.
1. Bug Topic
Unsafe PHP deserialization in
PhpOffice\PhpPresentation\Reader\Serialized::load().2. Release Version / Commit Hash / Affected Range
Observed affected version in the provided target source:
0.6.0.Affected range and commit hash are unknown from the minimal package. The issue is present in
src/PhpPresentation/Reader/Serialized.phpin the submitted source package.3. Bug Type
Insecure deserialization / PHP object injection.
4. CWE
CWE-502: Deserialization of Untrusted Data.
5. Bug Summary
The serialized presentation reader reads
PhpPresentation.xmlfrom a presentation archive, base64-decodes the XMLdataelement, and passes the result directly to PHPunserialize(). Because the archive content is attacker-controlled when applications accept uploaded presentation files, this allows arbitrary PHP object instantiation in the consuming application's process.6. Root Cause
Reader\Serialized::loadSerialized()uses unrestrictedunserialize():The expected return type does not prevent exploitation because PHP creates the object graph and invokes magic methods before the later type mismatch/fatal error occurs.
7. Attack Preconditions
Serializedreader on that file.8. Impact Analysis
The issue provides an attacker-controlled object instantiation primitive. Depending on application dependencies, it may lead to code execution through gadget chains, data modification, file writes, or denial of service. The provided PoC uses a benign local gadget that writes a marker file from
__wakeup()to show that magic methods run duringReader\Serialized::load().9. Affected Code
File:
src/PhpPresentation/Reader/Serialized.phpMethod:
PhpOffice\PhpPresentation\Reader\Serialized::loadSerialized()Relevant code:
10. PoC
https://github.com/fa1c4/security-advisories/tree/main/PHPPresentationExpected output:
The PoC includes:
Serialized.php: the vulnerable target source file.PoC.php: creates a crafted presentation archive and invokes the reader.Dockerfile: runs the PoC in PHP with requiredzipandsimplexmlextensions.