Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Workaround offered for unpatched HTML-to-PDF rendering vulnerability

A popular software library for rendering PDFs from HTML documents suffers from an unpatched vulnerability that poses a remote code execution (RCE) risk, security researchers claim.

Flaws in the dompdf library were uncovered by German security consultancy Positive Security during the audit of a client’s website.

Although it remains unpatched even in the latest version of dompdf (v1.2.0), the vulnerability can be addressed by making sure the software is not in a web-accessible directory.

In addition, it is advisable to sanitize user-supplied input to dompdf installations, at least pending the release of a security update.

Communication hiccup

Although Positive Security contacted dompdf’s developers soon after the vulnerability was discovered last October, the disclosure email was not seen by project maintainer Brian Sweeney because the message was incorrectly misclassified as spam.

In response to queries from The Daily Swig, Sweeney responded promptly to state he agreed with Positive Security’s main findings.

“After reviewing the vulnerability details the next release (1.2.1) will include a patch,” Sweeney told The Daily Swig. “I still cannot provide a timeline for that release, though I would expect it to be within the next few weeks.”

“I can confirm that the reported vulnerability is valid and is unpatched at this time.”

“Positive Security did an excellent job with their research,” Sweeney concluded.

From a dompdf user’s perspective, it’s valuable to know about known security risks and possible workarounds, so Positive Security decided to go public with details of the vulnerability on Wednesday (March 16) ¬– even in the absence of a patch.

In a technical blog post, Positive Security explains how the software is vulnerable because it

Allowed potential attackers to upload font files with a .php extension to the web server.

Because of this security shortcoming a reflected cross-site scripting (XSS) issue can be abused to navigate towards an uploaded .php script, offering a way for potential attackers to achieve code execution on vulnerable systems.

Ticket to ride

Dompdf is a popular open source PHP library that’s used for rendering HTML code as PDFs. Applications include ticket purchases, receipts/invoices, a variety of automated emails, Covid-19 test certificates, and more.

The software has 8,600 stars, 1,600 forks and 59,200 dependant repositories – metrics that make it the most widely used PHP-to-PDF generation library, according to Positive Security’s Fabian Bräunlein.

Advertisement. Scroll to continue reading.

“In case the preconditions are met, exploitation is quite easy,” Bräunlein told The Daily Swig.

Bräunlein explained that exploitation would follow a three-part process:

  1. Serve the malicious CSS file and PHP font on the internet
  2. Trigger the download of the PHP font by including the external CSS during PDF generation
  3. Access the downloaded .php file to trigger arbitrary code execution on the server

During a client engagement, Positive Security successfully used the vulnerability to gain arbitrary code execution on our client’s system.

Bräunlein said the security issues with dompdf offers secure development lessons for other software developers.

“A vulnerability like the one now in dompdf can happen quite easily in this intersection of different technologies (PHP, PDF, HTML, CSS, fonts, local, and remote files),” Bräunlein said.

“As a defense-in-depth mechanism, it can therefore make sense to run the PDF generation as isolated as possible from other components of the system.”

Source: https://portswigger.net/daily-swig/workaround-offered-for-unpatched-html-to-pdf-rendering-vulnerability

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO