Headline
CVE-2022-35583: wkhtmltopdf
wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target’s system by injecting iframe tag with initial asset IP address on it’s source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.
What is it?
wkhtmltopdf and wkhtmltoimage are open source (LGPLv3) command line tools to render HTML into PDF and various image formats using the Qt WebKit rendering engine. These run entirely “headless” and do not require a display or display service.
There is also a C library, if you’re into that kind of thing.
How do I use it?
Download a precompiled binary or build from source
Create your HTML document that you want to turn into a PDF (or image)
Run your HTML document through the tool.
For example, if I really like the treatment Google has done to their logo today and want to capture it forever as a PDF:wkhtmltopdf http://google.com google.pdf
Additional options
That’s great, I’ve always wanted to turn Google’s homepage into a PDF, but I want a table of contents as well.
There are plenty of command line options. Check out the auto-generated wkhtmltopdf manual.
Get Hardcore
Command line tools are awesome, but I want a C library.
No problem. Check out the library documentation.
Real world examples?
Like we said, if you really like Google’s homepage today and want to save it as a PDF, you could use wkhtmltopdf for that.
Seriously, you could use it to generate invoices, create birthday cards, or all other sorts of fun things. Just use your imagination!