Security flaws exposed in popular dompdf PHP library

Workaround offered for unpatched PDF-to-HTML rendering vulnerability

UPDATED A new release of the dompdf library that patches against the vulnerability was released on March 24.

A popular software library for rendering PDFs from HTML documents suffers from an unpatched vulnerability that poses a remote code execution (RCE) risk, security researchers claim.

Flaws in the dompdf library were uncovered by German security consultancy Positive Security during the audit of a client’s website.

Although it remains unpatched even in the latest version of dompdf (v1.2.0), the vulnerability can be addressed by making sure the software is not in a web-accessible directory.

In addition, it is advisable to sanitize user-supplied input to dompdf installations, at least pending the release of a security update. Suggested mitigations are outlined in greater detail in a post by dompdf's developers.

Communication hiccup

Although Positive Security contacted dompdf’s developers soon after the vulnerability was discovered last October, the disclosure email was not seen by project maintainer Brian Sweeney because the message was incorrectly misclassified as spam.

In response to queries from The Daily Swig, Sweeney responded promptly to state he agreed with Positive Security’s main findings.

Catch up on the latest security research news

“After reviewing the vulnerability details the next release (1.2.1) will include a patch,” Sweeney told The Daily Swig. “I still cannot provide a timeline for that release, though I would expect it to be within the next few weeks.”

“I can confirm that the reported vulnerability is valid and is unpatched at this time.”

“Positive Security did an excellent job with their research,” Sweeney concluded.

From a dompdf user’s perspective, it’s valuable to know about known security risks and possible workarounds, so Positive Security decided to go public with details of the vulnerability on Wednesday (March 16) ¬– even in the absence of a patch.

In a technical blog post, Positive Security explains how the software is vulnerable because it

Allowed potential attackers to upload font files with a .php extension to the web server.

Because of this security shortcoming a reflected cross-site scripting (XSS) issue can be abused to navigate towards an uploaded .php script, offering a way for potential attackers to achieve code execution on vulnerable systems.

Ticket to ride

Dompdf is a popular open source PHP library that’s used for rendering HTML code as PDFs. Applications include ticket purchases, receipts/invoices, a variety of automated emails, Covid-19 test certificates, and more.

The software has 8,600 stars, 1,600 forks and 59,200 dependant repositories – metrics that make it the most widely used PHP-to-PDF generation library, according to Positive Security’s Fabian Bräunlein.

“In case the preconditions are met, exploitation is quite easy,” Bräunlein told The Daily Swig.

Bräunlein explained that exploitation would follow a three-part process:

  1. Serve the malicious CSS file and PHP font on the internet
  2. Trigger the download of the PHP font by including the external CSS during PDF generation
  3. Access the downloaded .php file to trigger arbitrary code execution on the server

During a client engagement, Positive Security successfully used the vulnerability to gain arbitrary code execution on our client's system.

Bräunlein said the security issues with dompdf offers secure development lessons for other software developers.

“A vulnerability like the one now in dompdf can happen quite easily in this intersection of different technologies (PHP, PDF, HTML, CSS, fonts, local, and remote files),” Bräunlein said.

“As a defense-in-depth mechanism, it can therefore make sense to run the PDF generation as isolated as possible from other components of the system.”

YOU MAY ALSO LIKE Unpatched plugins threaten millions of WordPress websites