Incorrect Behavior Order: Authorization Before Parsing and Canonicalization Affecting dompdf/dompdf package, versions <2.0.2
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-DOMPDFDOMPDF-3261241
- published 1 Feb 2023
- disclosed 1 Feb 2023
- credit Blaklis
Introduced: 1 Feb 2023
CVE-2023-23924 Open this link in a new tabHow to fix?
Upgrade dompdf/dompdf to version 2.0.2 or higher.
Overview
Affected versions of this package are vulnerable to Incorrect Behavior Order: Authorization Before Parsing and Canonicalization due to URI validation failure when parsing SVG. The URI validation can be bypassed on SVG parsing by passing <image> tags with uppercase letters.
Vulnerable Behaviour
if ($type === "svg") {
$parser = xml_parser_create("utf-8");
xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);
xml_set_element_handler(
$parser,
function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
if ($name === "image") {
$attributes = array_change_key_case($attributes, CASE_LOWER);
This part will try to detect <image> tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the $name comparison with image is case sensitive, which means that such a tag in the SVG will pass :
<svg>
<Image xlink:href="phar:///foo"></Image>
</svg>
As the tag is named Image and not image, it will not pass the condition to trigger the check.
A correct solution would be to strtolower the $name before the check :
if (strtolower($name) === "image") {
PoC
Parsing the following SVG file is sufficient to reproduce the vulnerability :
<svg>
<Image xlink:href="phar:///foo"></Image>
</svg>