Description Preview
DomPDF before version 2.0.0 contains a PHAR deserialization vulnerability due to insufficient validation of protocols when using file_get_contents(). Attackers who can upload files to the server can exploit this by using the phar:// protocol to trigger PHP object deserialization, potentially leading to remote code execution, especially when used with frameworks like Laravel that have known POP (Property Oriented Programming) chains.
Overview
This vulnerability (CVE-2021-3838) affects DomPDF library versions prior to 2.0.0. The issue stems from a lack of protocol validation before passing user-controlled input to PHP's file_get_contents() function. When an attacker can upload files to the server (of any type), they can leverage the phar:// protocol wrapper to trigger PHP object deserialization. This is particularly dangerous because when the deserialization occurs, PHP will instantiate objects defined in the PHAR file, potentially executing malicious code through magic methods like __destruct(), __wakeup(), etc. The vulnerability is especially critical when DomPDF is used alongside frameworks like Laravel that have documented PHP Object Injection chains, or when used in custom code with vulnerable class structures.
Remediation
- Update DomPDF to version 2.0.0 or later, which includes the security patch for this vulnerability.
- If immediate updating is not possible, implement additional validation for any file paths or URLs passed to DomPDF:
- Explicitly whitelist allowed protocols (e.g., http://, https://, file://)
- Block dangerous protocols like phar://, php://, zip://, data://
- Implement proper file upload validation to restrict file types and content
- Consider implementing a wrapper function around file_get_contents() that validates the protocol
- Apply the principle of least privilege to file system permissions for uploaded files
- Review your codebase for other instances where user input might influence file paths
References
- Patch: https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a
- Vulnerability Report and Exploit: https://huntr.com/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e
- PHAR Deserialization Documentation: https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are
- PHP Object Injection: https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- Finance and InsuranceFinance and Insurance
- ManufacturingManufacturing
- Public AdministrationPublic Administration
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- ConstructionConstruction
- Educational ServicesEducational Services
- Health Care & Social AssistanceHealth Care & Social Assistance
- InformationInformation
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Retail TradeRetail Trade
- Transportation & WarehousingTransportation & Warehousing
- UtilitiesUtilities
- Wholesale TradeWholesale Trade
