CVE-2023-24813: Dompdf HTML to PDF Converter Vulnerability Allows for Remote Code Execution (RCE)

Dompdf, a popular HTML to PDF converter written in PHP, has been found to have a vulnerability that may enable remote code execution (RCE) due to the difference in attribute parser behavior between Dompdf and php-svg-lib. This issue can lead to arbitrary file deletion and potential RCE depending on the PHP version and available classes. The vulnerability has been addressed in Dompdf version 2..3 and users are encouraged to upgrade as soon as possible.

Background

While Dompdf parses the href attribute of image tags and respects xlink:href even if href is specified, php-svg-lib, which is later used to parse the SVG file, only parses the href attribute. However, if both xlink:href and href are specified, href takes priority. This allows attackers to bypass the protection on the Dompdf side by simply providing an empty xlink:href attribute.

Exploit Details

The vulnerability can be exploited if an attacker provides an SVG file to Dompdf containing an empty xlink:href attribute, resulting in calling arbitrary URLs with arbitrary protocols. In PHP versions before 8.., this can lead to remote code execution by leveraging the unserialize functionality.

Sample SVG Code Snippet

<svg xmlns="http://www.w3.org/200/svg"; xmlns:xlink="http://www.w3.org/1999/xlink">;
  <image xlink:href="" href="arbitrary_protocol://arbitrary_URL" />
</svg>

Mitigation

The vulnerability has been addressed in commit 95009ea98, which has been included in Dompdf release version 2..3. Users are advised to upgrade to this version to ensure protection against this vulnerability.

No known workarounds are available for the vulnerability. Upgrading to the latest version of Dompdf is strongly recommended.

Original References

- Dompdf GitHub Repository: https://github.com/dompdf/dompdf
- Patch Commit: https://github.com/dompdf/dompdf/commit/95009ea98
- Dompdf Release Version 2..3: https://github.com/dompdf/dompdf/releases/tag/v2..3

Conclusion

The CVE-2023-24813 vulnerability in Dompdf highlights the importance of maintaining up-to-date libraries and components within software stacks. By upgrading to the latest Dompdf version (2..3), users can mitigate the risk posed by this vulnerability. It is essential to monitor and keep track of known vulnerabilities in the software components used within applications, as they can expose users to potential exploits and security risks.

Timeline

Published on: 02/07/2023 19:15:00 UTC
Last modified on: 02/16/2023 14:53:00 UTC