Lucene search

K
friendsofphpOpenJS FoundationFRIENDSOFPHP:DOMPDF:DOMPDF:CVE-2023-23924
HistoryJan 31, 2023 - 2:30 p.m.

Dompdf vulnerable to URI validation failure on SVG parsing

2023-01-3114:30:00
OpenJS Foundation
github.com
7
dompdf
uri validation
svg parsing
bypass
arbitrary unserialize
php
vulnerability
remote code execution

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H

7.5 High

AI Score

Confidence

Low

0.01 Low

EPSS

Percentile

84.0%

Description Summary The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing tags with uppercase letters. This might leads to arbitrary object unserialize on PHP < 8, through the phar URL wrapper. Details The bug occurs during SVG parsing of tags, in src/Image/Cache.php : if ($type === “svg”) { $parser = xml_parser_create(“utf-8”); xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false); xml_set_element_handler( $parser, function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) { if ($name === “image”) { $attributes = array_change_key_case($attributes, CASE_LOWER); This part will try to detect tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the `$name comparison with “image” is case sensitive, which means that such a tag in the SVG will pass : As the tag is named “Image” and not “image”, it will not pass the condition to trigger the check. A correct solution would be to strtolower the $name before the check : if (strtolower($name) === “image”) { PoC Parsing the following SVG file is sufficient to reproduce the vulnerability : Impact An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available. References GHSA-3cw5-7cxw-v5qg https://nvd.nist.gov/vuln/detail/CVE-2023-23924 dompdf/dompdf@7558f07 https://github.com/dompdf/dompdf/releases/tag/v2.0.2 https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2023-23924.yaml GHSA-3cw5-7cxw-v5qg

Affected configurations

Vulners
Node
dompdfdompdfRange<2.0.2
CPENameOperatorVersion
dompdf/dompdflt2.0.2

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H

7.5 High

AI Score

Confidence

Low

0.01 Low

EPSS

Percentile

84.0%

Related for FRIENDSOFPHP:DOMPDF:DOMPDF:CVE-2023-23924