Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0zY3c1LTdjeHctdjVxZ84AAxTp

Dompdf vulnerable to URI validation failure on SVG parsing

Summary

The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing <image> tags with uppercase letters. This might leads to arbitrary object unserialize on PHP < 8, through the phar URL wrapper.

Details

The bug occurs during SVG parsing of <image> tags, in src/Image/Cache.php :

if ($type === "svg") {
    $parser = xml_parser_create("utf-8");
    xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);
    xml_set_element_handler(
        $parser,
        function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
            if ($name === "image") {
                $attributes = array_change_key_case($attributes, CASE_LOWER);

This part will try to detect <image> tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the `$name comparison with "image" is case sensitive, which means that such a tag in the SVG will pass :

<svg>
    <Image xlink:href="phar:///foo"></Image>
</svg>

As the tag is named "Image" and not "image", it will not pass the condition to trigger the check.

A correct solution would be to strtolower the $name before the check :

if (strtolower($name) === "image") {

PoC

Parsing the following SVG file is sufficient to reproduce the vulnerability :

<svg>
    <Image xlink:href="phar:///foo"></Image>
</svg>

Impact

An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.

Permalink: https://github.com/advisories/GHSA-3cw5-7cxw-v5qg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zY3c1LTdjeHctdjVxZ84AAxTp
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: over 1 year ago


CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H

Identifiers: GHSA-3cw5-7cxw-v5qg, CVE-2023-23924
References: Repository: https://github.com/dompdf/dompdf
Blast Radius: 43.4

Affected Packages

packagist:dompdf/dompdf
Dependent packages: 555
Dependent repositories: 22,012
Downloads: 108,583,601 total
Affected Version Ranges: < 2.0.2
Fixed in: 2.0.2
All affected versions: 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 2.0.0, 2.0.1
All unaffected versions: 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.7, 2.0.8, 3.0.0