You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During bug bounty hunting I met one of the old version of yours library and decided to test it for known vulnerabilities, namely PHP deserialization through phar:// wrapper that was discovered independently by @s-n-t and @orangetw.
For proof of concept I create class with __destruct() method (based on GuzzleHttp deserialization chain) and use phpggc library to create image, which contains phar metadata. Phpggc repo also provide dozens of popular deserialization chains for popular frameworks and libraries.
Source code of test class:
<?php
namespace TestLib;
class VulnerableClass {
private $file;
private $content;
public function __construct($file, $content) {
$this->file = $file;
$this->content = $content;
}
/* ... */
public function __destruct() {
$this->save($this->file, $this->content);
}
public function save($file, $content) {
file_put_contents($file, $content);
}
}
?>
Hello,
During bug bounty hunting I met one of the old version of yours library and decided to test it for known vulnerabilities, namely PHP deserialization through phar:// wrapper that was discovered independently by @s-n-t and @orangetw.
Presentation Slides by Sam Thomas
White Paper by Sam Thomas
CTF challenge by Orange Tsai
So, after some tests, looks like yours library has similar issue as TCPDF library.
Method getImage() of Image/ImageProcessor class pass value of src attribute of img tag to fopen() function, what can lead to PHP deserialization if value contains phar:// wrapper.
https://github.com/mpdf/mpdf/blob/development/src/Image/ImageProcessor.php#L215
For proof of concept I create class with __destruct() method (based on GuzzleHttp deserialization chain) and use phpggc library to create image, which contains phar metadata. Phpggc repo also provide dozens of popular deserialization chains for popular frameworks and libraries.
Source code of test class:
Source code of trigger script:
Video Proof Of Concept
Tested on version 5.4.0 and 7.1.7 (latest).
PHP 7.1.25
TCPDF CVE:
https://nvd.nist.gov/vuln/detail/CVE-2018-17057
TCPDF fix commit that disallow pass pathes with phar:// wrapper:
tecnickcom/TCPDF@1861e33
The text was updated successfully, but these errors were encountered: