CVE-2023-23924: URI validation failure on SVG parsing in Dompdf
First published: Tue Jan 31 2023(Updated: )
### Summary The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This might leads to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. ### Details The bug occurs during SVG parsing of `<image>` tags, in src/Image/Cache.php : ``` if ($type === "svg") { $parser = xml_parser_create("utf-8"); xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false); xml_set_element_handler( $parser, function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) { if ($name === "image") { $attributes = array_change_key_case($attributes, CASE_LOWER); ``` This part will try to detect `<image>` tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the `$name comparison with "image" is case sensitive, which means that such a tag in the SVG will pass : ``` <svg> <Image xlink:href="phar:///foo"></Image> </svg> ``` As the tag is named "Image" and not "image", it will not pass the condition to trigger the check. A correct solution would be to strtolower the `$name` before the check : ``` if (strtolower($name) === "image") { ``` ### PoC Parsing the following SVG file is sufficient to reproduce the vulnerability : ``` <svg> <Image xlink:href="phar:///foo"></Image> </svg> ``` ### Impact An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/dompdf/dompdf | <2.0.2 | |
| composer/dompdf/dompdf | <2.0.2 | 2.0.2 |
| Dompdf | =2.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/advisories/GHSA-3cw5-7cxw-v5qg (Advisory)
- https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg
- https://nvd.nist.gov/vuln/detail/CVE-2023-23924
- https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85
- https://github.com/dompdf/dompdf/releases/tag/v2.0.2
- https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2023-23924.yaml
Frequently Asked Questions
What is CVE-2023-23924?
CVE-2023-23924 is a vulnerability that allows URI validation bypass on dompdf 2.0.1, leading to arbitrary object unserialize on PHP < 8.
How does the vulnerability in CVE-2023-23924 occur?
The vulnerability occurs during SVG parsing of `<image>` tags in dompdf.
What is the severity of CVE-2023-23924?
The severity of CVE-2023-23924 is critical (severity value: 10).
Which software versions are affected by CVE-2023-23924?
Versions up to 2.0.2 of dompdf are affected by CVE-2023-23924.
How can I fix CVE-2023-23924?
To fix CVE-2023-23924, update dompdf to version 2.0.2.
- collector/friends-of-php
- collector/github-advisory
- alias/GHSA-3cw5-7cxw-v5qg
- alias/CVE-2023-23924
- agent/weakness
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/composer
- vendor/dompdf project
- canonical/dompdf
- version/dompdf/2.0.1