Proposed Workaround for Unpatched HTML to PDF Rendering Vulnerability

John Leyden Mar 18, 2022 2:55 PM UTC

Updated: Mar 19, 2022 07:00 UTC

Security flaws exposed in popular PHP library dompdf

A popular software library for rendering PDFs from HTML documents suffers from an unpatched vulnerability that poses a remote code execution (RCE) risk, security researchers say.

Flaws in the dompdf library were discovered by German security consultancy Positive Security while auditing a client’s website.

Although it remains unpatched even in the latest version of dompdf (v1.2.0), the vulnerability can be remedied by ensuring that the software is not in a web-accessible directory.

Additionally, it is advisable to clean up user-provided entries for dompdf installations, at least until a security update is released. Suggested mitigation measures are described in more detail in a Publish by the developers of dompdf.

Communication problems

Although Positive Security contacted the developers of dompdf shortly after the vulnerability was discovered last October, the disclosure email was not seen by project manager Brian Sweeney because the message was incorrectly classified as spam.

In response to questions from The daily sipSweeney responded quickly to say he agreed with Positive Security’s key findings.

Keep up to date with the latest security research news

“After reviewing the details of the vulnerability, the next release (1.2.1) will include a fix,” Sweeney told The Daily Swig. “I still cannot provide a timeline for this release, although I expect it to be within the next few weeks.”

“I can confirm that the reported vulnerability is valid and is not fixed at this time.”

“Positive Security did a great job with their research,” Sweeney concluded.

From a dompdf user’s perspective, it’s helpful to be aware of known security risks and possible workarounds. Positive Security has therefore decided to make the details of the vulnerability public on Wednesday March 16 ¬– even in the absence of a patch.

In one technical blog postPositive Security explains how the software is vulnerable because it

Allowed potential attackers to upload font files with a .php extension to the web server.

Due to this security gap, a thoughtful cross-site scripting (XSS) issue can be abused to navigate to a downloaded .php script, giving potential attackers a way to execute code on vulnerable systems.

Ticket to ride

Dompdf is a popular open source PHP library used to render HTML code to PDF. Applications include ticket purchases, receipts/invoices, a variety of automated emails, Covid-19 test certificates, and more.

According to Positive Security’s Fabian Bräunlein, the software has 8,600 stars, 1,600 forks, and 59,200 dependent repositories — metrics that make it the most widely used PHP to PDF generation library.

“If the prerequisites are met, exploitation is quite easy,” Bräunlein said. The daily sip.

Bräunlein explained that the exploitation would follow a three-part process:

  1. Serve malicious CSS file and PHP font over internet
  2. Trigger PHP font download by including external CSS when generating PDF
  3. Access the downloaded .php file to trigger the execution of arbitrary code on the server

During a client engagement, Positive Security successfully used the vulnerability to obtain the execution of arbitrary code on our client’s system.

Bräunlein said security issues with dompdf offers safe development lessons for other software developers.

“A vulnerability like the one that currently exists in dompdf can occur quite easily in this intersection of different technologies (PHP, PDF, HTML, CSS, fonts, local and remote files),” Bräunlein said.

“As a defense-in-depth mechanism, it may therefore be wise to run the PDF generation as isolated as possible from other system components.”

YOU MIGHT ALSO LIKE Unpatched plugins threaten millions of WordPress websites

Comments are closed.