header-logo
Suggest Exploit
vendor:
dompdf
by:
Alejo Murillo Moyas
7,5
CVSS
HIGH
Arbitrary file read
22
CWE
Product Name: dompdf
Affected Version From: v0.6.0
Affected Version To: v0.6.1
Patch Exists: YES
Related CWE: CVE-2014-2383
CPE: dompdf
Metasploit: https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2014-5013/
Other Scripts: N/A
Tags: cve,lfi,wp-plugin,wpscan,cve2014,dompdf,wordpress,wp,edb,seclists
CVSS Metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
Nuclei References: https://www.exploit-db.com/exploits/33004http://seclists.org/fulldisclosure/2014/Apr/258https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/https://wpscan.com/vulnerability/1d64d0cb-6b71-47bb-8807-7c8350922582https://nvd.nist.gov/vuln/detail/CVE-2014-2383
Nuclei Metadata: {'max-request': 11, 'verified': True, 'vendor': 'dompdf', 'product': 'dompdf'}
Platforms Tested: Web
2014

Arbitrary file read in dompdf

A vulnerability in dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.

Mitigation:

Disable the DOMPDF_ENABLE_PHP and DOMPDF_ENABLE_REMOTE flags, and ensure that the DOMPDF_CHROOT flag is properly configured.
Source

Exploit-DB raw data:

Vulnerability title: Arbitrary file read in dompdf
CVE: CVE-2014-2383
Vendor: dompdf
Product: dompdf
Affected version: v0.6.0
Fixed version: v0.6.1 (partial fix)
Reported by: Alejo Murillo Moyas

Details:
An arbitrary file read vulnerability is present on dompdf.php file that
allows remote or local attackers to read local files using a special
crafted argument. This vulnerability requires the configuration flag
DOMPDF_ENABLE_PHP to be enabled (which is disabled by default).

Using PHP protocol and wrappers it is possible to bypass the dompdf's
"chroot" protection (DOMPDF_CHROOT) which prevents dompdf from accessing
system files or other files on the webserver. Please note that the flag
DOMPDF_ENABLE_REMOTE needs to be enabled.

Command line interface:
php dompdf.php
php://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE>

Web interface:
   
http://example/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE>
        

Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/


Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

Navigation

Suggest Exploit

Services By CQR