Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote code execution vulnerability through persisted font #2598

Closed
breakingsystems opened this issue Oct 12, 2021 · 2 comments · Fixed by #2808
Closed

Remote code execution vulnerability through persisted font #2598

breakingsystems opened this issue Oct 12, 2021 · 2 comments · Fixed by #2808

Comments

@breakingsystems
Copy link

breakingsystems commented Oct 12, 2021

A malicious user is able to use Dompdf to execute code remotely under the following conditions:

  • the Dompdf font directory (dompdf/lib/fonts by default) is accessible through the web
  • a remote user is able to inject CSS into a document rendered by Dompdf

On a vulnerable system a user can reference a specially crafted font file that is able to pass the initial parsing process, at which time Dompdf persists the font file to the font directory with an extension matching that of the file on the remote system. At this point the user is able to load the persisted file to execute code within the context of the PHP process.

Recommended mitigations for Dompdf versions prior to 1.2.1:

  • move Dompdf and/or the Dompdf font directory outside the web root
  • disable access to remote resources by setting the isRemoteEnabled option to false
  • sanitize user input

Vulnerability details are available on the Positive Security blog.

Refer to the wiki for additional information on securing Dompdf.

@breakingsystems breakingsystems changed the title Security vulnerabilty in dompdf Vulnerability in dompdf Oct 12, 2021
@bsweeney bsweeney added this to the 2.0.0 milestone Oct 13, 2021
@bsweeney
Copy link
Member

I apologize for the delay. We have received the information and will review.

@bsweeney bsweeney modified the milestones: 2.0.0, 1.2.1 Mar 16, 2022
@bsweeney bsweeney changed the title Vulnerability in dompdf Remote code execution vulnerability through persisted font Mar 16, 2022
@bsweeney
Copy link
Member

FYI, after reviewing the vulnerability and in consideration of the public release I'm going to include a patch in the upcoming 1.2.1 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants