CVE-2023-24813 in Dompdfinfo

Summary

by MITRE • 02/07/2023

Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 03/06/2023

The vulnerability identified as CVE-2023-24813 affects Dompdf, a popular PHP library used for converting HTML content into PDF documents. This issue stems from a discrepancy in how Dompdf and php-svg-lib handle attribute parsing, specifically concerning the href and xlink:href attributes within image tags. The flaw creates a bypass mechanism that allows attackers to circumvent intended security protections, enabling unauthorized URL access with potentially dangerous protocols.

The technical implementation of this vulnerability exploits the parsing behavior differences between two components within the Dompdf processing pipeline. When processing SVG files, Dompdf initially parses the href attribute of image tags while also respecting xlink:href even when href is present. However, php-svg-lib, which processes the SVG file subsequently, parses the href attribute differently. This inconsistency creates an opportunity for attackers to craft malicious SVG content where an empty xlink:href attribute combined with a valid href attribute can bypass Dompdf's security controls. The vulnerability specifically targets the attribute parsing logic and represents a classic case of improper input validation that allows protocol handling bypass.

The operational impact of this vulnerability extends beyond simple URL access, particularly in PHP versions prior to 8.0.0 where the flaw can lead to arbitrary unserialize operations. This capability enables attackers to perform arbitrary file deletion and potentially achieve remote code execution depending on the available PHP classes and system configuration. The vulnerability demonstrates a path to privilege escalation and system compromise through carefully crafted SVG input that leverages the underlying PHP serialization mechanisms. The attack surface is significant as any application using Dompdf to process user-supplied SVG content becomes vulnerable to this exploitation vector.

Security professionals should recognize this vulnerability as aligning with CWE-20, "Improper Input Validation," and potentially CWE-134, "Use of Externally-Controlled Format String," while also mapping to ATT&CK techniques involving command and control through protocol handling and arbitrary code execution. The vulnerability's exploitation requires SVG file input processing, making it particularly relevant for web applications that accept user-generated content or file uploads. The fix implemented in commit 95009ea98 and included in Dompdf version 2.0.3 addresses the core parsing inconsistency between the two libraries, requiring users to upgrade their installations to prevent exploitation. Organizations should prioritize immediate patching of affected systems and implement monitoring for suspicious SVG file processing activities, as no effective workarounds exist for this vulnerability. The remediation process must include comprehensive testing of SVG processing functionality to ensure the patch resolves the attribute parsing discrepancy without introducing regressions in legitimate document generation capabilities.

Responsible

GitHub, Inc.

Reservation

01/30/2023

Disclosure

02/07/2023

Moderation

accepted

CPE

ready

EPSS

0.02490

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!