Hello,
During bug bounty hunting I met one of the old version of yours library and decided to test it for known vulnerabilities, namely PHP deserialization through phar:// wrapper that was discovered independently by @s-n-t and @orangetw.
Presentation Slides by Sam Thomas
White Paper by Sam Thomas
CTF challenge by Orange Tsai
So, after some tests, looks like yours library has similar issue as TCPDF library.
Method getImage() of Image/ImageProcessor class pass value of src attribute of img tag to fopen() function, what can lead to PHP deserialization if value contains phar:// wrapper.
https://github.com/mpdf/mpdf/blob/development/src/Image/ImageProcessor.php#L215
For proof of concept I create class with __destruct() method (based on GuzzleHttp deserialization chain) and use phpggc library to create image, which contains phar metadata. Phpggc repo also provide dozens of popular deserialization chains for popular frameworks and libraries.
Source code of test class:
<?php
namespace TestLib;
class VulnerableClass {
private $file;
private $content;
public function __construct($file, $content) {
$this->file = $file;
$this->content = $content;
}
/* ... */
public function __destruct() {
$this->save($this->file, $this->content);
}
public function save($file, $content) {
file_put_contents($file, $content);
}
}
?>
Source code of trigger script:
<?php
require('lib/class.php');
require_once __DIR__ . '/../vendor/autoload.php';
$input = $_GET['input'];
if (!$input) {
$input = "";
}
$mpdf = new \Mpdf\Mpdf();
$mpdf->WriteHTML($input);
$mpdf->Output();
?>
Video Proof Of Concept
Tested on version 5.4.0 and 7.1.7 (latest).
PHP 7.1.25
TCPDF CVE:
https://nvd.nist.gov/vuln/detail/CVE-2018-17057
TCPDF fix commit that disallow pass pathes with phar:// wrapper:
tecnickcom/TCPDF@1861e33
Hello,
During bug bounty hunting I met one of the old version of yours library and decided to test it for known vulnerabilities, namely PHP deserialization through phar:// wrapper that was discovered independently by @s-n-t and @orangetw.
Presentation Slides by Sam Thomas
White Paper by Sam Thomas
CTF challenge by Orange Tsai
So, after some tests, looks like yours library has similar issue as TCPDF library.
Method getImage() of Image/ImageProcessor class pass value of src attribute of img tag to fopen() function, what can lead to PHP deserialization if value contains phar:// wrapper.
https://github.com/mpdf/mpdf/blob/development/src/Image/ImageProcessor.php#L215
For proof of concept I create class with __destruct() method (based on GuzzleHttp deserialization chain) and use phpggc library to create image, which contains phar metadata. Phpggc repo also provide dozens of popular deserialization chains for popular frameworks and libraries.
Source code of test class:
Source code of trigger script:
Video Proof Of Concept
Tested on version 5.4.0 and 7.1.7 (latest).
PHP 7.1.25
TCPDF CVE:
https://nvd.nist.gov/vuln/detail/CVE-2018-17057
TCPDF fix commit that disallow pass pathes with phar:// wrapper:
tecnickcom/TCPDF@1861e33