Skip to content

PHPPresentation unsafe deserialization in Serialized reader #892

Description

@fa1c4

1. Bug Topic

Unsafe PHP deserialization in PhpOffice\PhpPresentation\Reader\Serialized::load().

2. Release Version / Commit Hash / Affected Range

Observed affected version in the provided target source: 0.6.0.

Affected range and commit hash are unknown from the minimal package. The issue is present in src/PhpPresentation/Reader/Serialized.php in the submitted source package.

3. Bug Type

Insecure deserialization / PHP object injection.

4. CWE

CWE-502: Deserialization of Untrusted Data.

5. Bug Summary

The serialized presentation reader reads PhpPresentation.xml from a presentation archive, base64-decodes the XML data element, and passes the result directly to PHP unserialize(). Because the archive content is attacker-controlled when applications accept uploaded presentation files, this allows arbitrary PHP object instantiation in the consuming application's process.

6. Root Cause

Reader\Serialized::loadSerialized() uses unrestricted unserialize():

$xmlData = simplexml_load_string($xmlContent);
$file = unserialize(base64_decode((string) $xmlData->data));

The expected return type does not prevent exploitation because PHP creates the object graph and invokes magic methods before the later type mismatch/fatal error occurs.

7. Attack Preconditions

  • A consuming application accepts a presentation file from an untrusted user or external source.
  • The application calls the PHPPresentation Serialized reader on that file.
  • Application or dependency classes are autoloadable and may contain useful magic methods.

8. Impact Analysis

The issue provides an attacker-controlled object instantiation primitive. Depending on application dependencies, it may lead to code execution through gadget chains, data modification, file writes, or denial of service. The provided PoC uses a benign local gadget that writes a marker file from __wakeup() to show that magic methods run during Reader\Serialized::load().

9. Affected Code

File: src/PhpPresentation/Reader/Serialized.php

Method: PhpOffice\PhpPresentation\Reader\Serialized::loadSerialized()

Relevant code:

$xmlContent = $oArchive->getFromName('PhpPresentation.xml');
$xmlData = simplexml_load_string($xmlContent);
$file = unserialize(base64_decode((string) $xmlData->data));

10. PoC

https://github.com/fa1c4/security-advisories/tree/main/PHPPresentation

Expected output:

[+] Reproduced: attacker-controlled serialized object was instantiated by Reader\Serialized::load().
[+] Marker: __wakeup reached

The PoC includes:

  • Serialized.php: the vulnerable target source file.
  • PoC.php: creates a crafted presentation archive and invokes the reader.
  • Dockerfile: runs the PoC in PHP with required zip and simplexml extensions.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions