GHSA-F3QR-QR4X-J273

Vulnerability from github – Published: 2024-02-21 18:04 – Updated: 2024-02-21 19:33
VLAI?
Summary
php-svg-lib lacks path validation on font through SVG inline styles
Details

Summary

php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib.

Details

The Style::fromAttributes(), or the Style::parseCssStyle() should check the content of the font-family and prevents it to use a PHAR url, to avoid passing an invalid and dangerous fontName value to other libraries. The same check as done in the Style::fromStyleSheets might be reused : 

                if (
                    \array_key_exists("font-family", $styles)
                    && (
                        \strtolower(\substr($this->href, 0, 7)) === "phar://"
                        || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5)) !== "data:")
                    )
                ) {
                    unset($style["font-family"]);
                }

PoC

Parsing the following SVG : 

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">
    <text x="20" y="35" style="color:red;font-family:phar:///path/to/whatever.phar/blaklis;">My</text>
</svg>

will pass the phar:///path/to/whatever.phar/blaklis as $family in SurfaceCpdf::setFont, which is then passed to the canvas selectFont as a $fontName.

Impact

Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even RCE, if they do not double check the value of the fontName that is passed by php-svg-lib

Severity ?
6.8 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phenx/php-svg-lib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-25117"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502",
      "CWE-610",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-21T18:04:16Z",
    "nvd_published_at": "2024-02-21T17:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nphp-svg-lib fails to validate that font-family doesn\u0027t contain a PHAR url, which might leads to RCE on PHP \u003c 8.0, and doesn\u0027t validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib.\n\n### Details\nThe Style::fromAttributes(), or the Style::parseCssStyle() should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the Style::fromStyleSheets might be reused : \n\n```\n                if (\n                    \\array_key_exists(\"font-family\", $styles)\n                    \u0026\u0026 (\n                        \\strtolower(\\substr($this-\u003ehref, 0, 7)) === \"phar://\"\n                        || ($this-\u003edocument-\u003eallowExternalReferences === false \u0026\u0026 \\strtolower(\\substr($this-\u003ehref, 0, 5)) !== \"data:\")\n                    )\n                ) {\n                    unset($style[\"font-family\"]);\n                }\n```\n\n### PoC \n\nParsing the following SVG : \n\n```\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?\u003e\n\u003csvg xmlns:svg=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" width=\"200\" height=\"200\"\u003e\n    \u003ctext x=\"20\" y=\"35\" style=\"color:red;font-family:phar:///path/to/whatever.phar/blaklis;\"\u003eMy\u003c/text\u003e\n\u003c/svg\u003e\n```\n\nwill pass the `phar:///path/to/whatever.phar/blaklis` as `$family` in `SurfaceCpdf::setFont`, which is then passed to the canvas `selectFont` as a `$fontName`.\n\n### Impact\nLibraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even RCE, if they do not double check the value of the `fontName` that is passed by php-svg-lib",
  "id": "GHSA-f3qr-qr4x-j273",
  "modified": "2024-02-21T19:33:13Z",
  "published": "2024-02-21T18:04:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-f3qr-qr4x-j273"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25117"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dompdf/php-svg-lib/commit/732faa9fb4309221e2bd9b2fda5de44f947133aa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dompdf/php-svg-lib/commit/8ffcc41bbde39f09f94b9760768086f12bbdce42"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dompdf/php-svg-lib"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "php-svg-lib lacks path validation on font through SVG inline styles "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.