ghsa-3cw5-7cxw-v5qg
Vulnerability from github
Summary
The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing <image> tags with uppercase letters. This might leads to arbitrary object unserialize on PHP < 8, through the phar URL wrapper.
Details
The bug occurs during SVG parsing of <image> tags, in src/Image/Cache.php :
if ($type === "svg") {
$parser = xml_parser_create("utf-8");
xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);
xml_set_element_handler(
$parser,
function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
if ($name === "image") {
$attributes = array_change_key_case($attributes, CASE_LOWER);
This part will try to detect <image> tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the `$name comparison with "image" is case sensitive, which means that such a tag in the SVG will pass :
<svg>
<Image xlink:href="phar:///foo"></Image>
</svg>
As the tag is named "Image" and not "image", it will not pass the condition to trigger the check.
A correct solution would be to strtolower the $name before the check :
if (strtolower($name) === "image") {
PoC
Parsing the following SVG file is sufficient to reproduce the vulnerability :
<svg>
<Image xlink:href="phar:///foo"></Image>
</svg>
Impact
An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "dompdf/dompdf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-23924"
],
"database_specific": {
"cwe_ids": [
"CWE-551",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-01T01:37:56Z",
"nvd_published_at": "2023-02-01T00:15:00Z",
"severity": "CRITICAL"
},
"details": "### Summary\nThe URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `\u003cimage\u003e` tags with uppercase letters. This might leads to arbitrary object unserialize on PHP \u003c 8, through the `phar` URL wrapper.\n\n### Details\nThe bug occurs during SVG parsing of `\u003cimage\u003e` tags, in src/Image/Cache.php : \n\n```\nif ($type === \"svg\") {\n $parser = xml_parser_create(\"utf-8\");\n xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);\n xml_set_element_handler(\n $parser,\n function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {\n if ($name === \"image\") {\n $attributes = array_change_key_case($attributes, CASE_LOWER);\n```\nThis part will try to detect `\u003cimage\u003e` tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the `$name comparison with \"image\" is case sensitive, which means that such a tag in the SVG will pass : \n\n```\n\u003csvg\u003e\n \u003cImage xlink:href=\"phar:///foo\"\u003e\u003c/Image\u003e\n\u003c/svg\u003e\n```\n\nAs the tag is named \"Image\" and not \"image\", it will not pass the condition to trigger the check.\n\nA correct solution would be to strtolower the `$name` before the check : \n\n```\nif (strtolower($name) === \"image\") {\n```\n\n### PoC\nParsing the following SVG file is sufficient to reproduce the vulnerability :\n\n```\n\u003csvg\u003e\n \u003cImage xlink:href=\"phar:///foo\"\u003e\u003c/Image\u003e\n\u003c/svg\u003e\n```\n\n### Impact\nAn attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.\n",
"id": "GHSA-3cw5-7cxw-v5qg",
"modified": "2023-02-01T01:37:56Z",
"published": "2023-02-01T01:37:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23924"
},
{
"type": "WEB",
"url": "https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2023-23924.yaml"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-3cw5-7cxw-v5qg"
},
{
"type": "PACKAGE",
"url": "https://github.com/dompdf/dompdf"
},
{
"type": "WEB",
"url": "https://github.com/dompdf/dompdf/releases/tag/v2.0.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Dompdf vulnerable to URI validation failure on SVG parsing"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.