GHSA-56gj-mvh6-rp75
Suggest an improvement- Source
- https://github.com/advisories/GHSA-56gj-mvh6-rp75
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-56gj-mvh6-rp75/GHSA-56gj-mvh6-rp75.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-56gj-mvh6-rp75
- Aliases
- Published
- 2023-02-07T18:16:23Z
- Modified
- 2023-11-08T04:11:48.697632Z
- Severity
-
- 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- URI validation failure on SVG parsing. Bypass of CVE-2023-23924
- Details
-
Summary
Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols.
Details
Dompdf parses the href attribute of
imagetags with the following code:src/Image/Cache.phpline 135-150function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) { if (strtolower($name) === "image") { $attributes = array_change_key_case($attributes, CASE_LOWER); $url = $attributes["xlink:href"] ?? $attributes["href"]; if (!empty($url)) { $inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $url); if ($inner_full_url === $full_url) { throw new ImageException("SVG self-reference is not allowed", E_WARNING); } [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $options); if (!empty($message)) { throw new ImageException("This SVG document references a restricted resource. $message", E_WARNING); } } } },As you can see from the code snippet above, it respects
xlink:hrefeven ifhrefis specified.$url = $attributes["xlink:href"] ?? $attributes["href"];However, php-svg-lib, which is later used to parse the svg file, parses the href attribute with the following code:
src/Svg/Tag/Image.phpline 51-57if (isset($attributes['xlink:href'])) { $this->href = $attributes['xlink:href']; } if (isset($attributes['href'])) { $this->href = $attributes['href']; }Since
hrefis respected if bothxlink:hrefandhrefis specified, it's possible to bypass the protection on the Dompdf side by providing an emptyxlink:hrefattribute.Impact
An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes.
- Database specific
{ "nvd_published_at": "2023-02-07T19:15:00Z", "github_reviewed_at": "2023-02-07T18:16:23Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-436" ] }- References
Affected packages
Packagist / dompdf/dompdf
Package
- Name
- dompdf/dompdf
- Purl
- pkg:composer/dompdf/dompdf