CVE-2022-43984 - Browsershot v3.57.3 Security Vulnerability: Arbitary Local File Disclosure

Overview

CVE-2022-43984 is a critical security vulnerability found in Browsershot v3.57.3, a popular PHP library used for converting webpages and HTML content to images or PDFs. An external attacker could exploit this vulnerability to remotely obtain arbitrary local files by supplying malicious URLs using the file:// protocol. The vulnerability exists as a result of insufficient validation checks preventing the application from loading potentially harmful JavaScript content from external sources.

Exploit Details

This exploitable vulnerability allows malicious actors to access sensitive information by crafting a request that includes a file:// protocol URL in the JavaScript content passed to the Browsershot::html method. An example of the vulnerable code:

$browsershot = new Browsershot();
$browsershot->html('<script src="file:///etc/passwd"></script>')->screenshot();

By exploiting the vulnerability in this manner, an attacker could potentially extract sensitive files such as the '/etc/passwd' file that contains user account information in Unix and Linux systems. This may lead to further unauthorized access, providing the attacker with the ability to compromise the affected system and steal sensitive data.

Solution

Users of Browsershot v3.57.3 are encouraged to update the library to the latest version immediately to address the security issue. Additionally, for increased security, users should validate any external resources such as JavaScript content passed to the Browsershot::html method to prevent potential exploitation.

Original References

- GitHub Issue: Browsershot v3.57.3 vulnerability CVE-2022-43984

- National Vulnerability Database: CVE-2022-43984

Mitigation Techniques

To minimize the risk of exploitation, users can follow best practices and secure coding techniques.

1. Filter/sanitize input data: Always validate and sanitize input data to prevent the execution of unauthorized code or commands.

$validatedUrl = filter_var($userProvidedUrl, FILTER_VALIDATE_URL);
if (!empty($validatedUrl)) {
    $browsershot->html('<script src="' . htmlspecialchars($validatedUrl, ENT_QUOTES, 'UTF-8') . '"></script>')->screenshot();
}

2. Whitelist allowed protocols: Limit the allowed protocols in URLs to a small set of known-safe protocols, such as 'http' and 'https'.

3. Update to the latest version: Always make sure to use the most recent and secure version of your libraries and dependencies.

By implementing these strategies, users can help defend against potential attacks targeting this vulnerability and maintain a more secure application environment.

Timeline

Published on: 11/25/2022 17:15:00 UTC
Last modified on: 01/10/2023 19:50:00 UTC