Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01NmdqLW12aDYtcnA3Nc4AAxd4
URI validation failure on SVG parsing. Bypass of CVE-2023-23924
Summary
Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols.
Details
Dompdf parses the href attribute of image tags with the following code:
src/Image/Cache.php line 135-150
function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
if (strtolower($name) === "image") {
$attributes = array_change_key_case($attributes, CASE_LOWER);
$url = $attributes["xlink:href"] ?? $attributes["href"];
if (!empty($url)) {
$inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $url);
if ($inner_full_url === $full_url) {
throw new ImageException("SVG self-reference is not allowed", E_WARNING);
}
[$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $options);
if (!empty($message)) {
throw new ImageException("This SVG document references a restricted resource. $message", E_WARNING);
}
}
}
},
As you can see from the code snippet above, it respects xlink:href even if href is specified.
$url = $attributes["xlink:href"] ?? $attributes["href"];
However, php-svg-lib, which is later used to parse the svg file, parses the href attribute with the following code:
src/Svg/Tag/Image.php line 51-57
if (isset($attributes['xlink:href'])) {
$this->href = $attributes['xlink:href'];
}
if (isset($attributes['href'])) {
$this->href = $attributes['href'];
}
Since href is respected if both xlink:href and href is specified, it's possible to bypass the protection on the Dompdf side by providing an empty xlink:href attribute.
Impact
An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes.
Permalink: https://github.com/advisories/GHSA-56gj-mvh6-rp75JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NmdqLW12aDYtcnA3Nc4AAxd4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-56gj-mvh6-rp75, CVE-2023-24813
References:
- https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75
- https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa
- https://nvd.nist.gov/vuln/detail/CVE-2023-24813
- https://github.com/advisories/GHSA-56gj-mvh6-rp75
Blast Radius: 43.4
Affected Packages
packagist:dompdf/dompdf
Dependent packages: 555Dependent repositories: 22,012
Downloads: 112,987,439 total
Affected Version Ranges: = 2.0.2
Fixed in: 2.0.3
All affected versions:
All unaffected versions: 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.7, 2.0.8, 3.0.0