CVE-2023-28115 Information
Description
Snappy is a PHP library allowing thumbnail snapshot or PDF generation from a url or a html page. Prior to version 1.4.2 Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_exists() function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the generateFromHtml() function it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.
Reference
https://github.com/KnpLabs/snappy/releases/tag/v1.4.2
https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc
https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3
https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6
https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670
https://github.com/KnpLabs/snappy/pull/469
Snappy
is
a
PHP
library
allowing
thumbnail
snapshot
or
PDF
generation
from
a
url
or
a
html
page.
Prior
to
version
1.4.2
Snappy
is
vulnerable
to
PHAR
deserialization
due
to
a
lack
of
checking
on
the
protocol
before
passing
it
into
the
file_exists()
function.
If
an
attacker
can
upload
files
of
any
type
to
the
server
he
can
pass
in
the
phar://
protocol
to
unserialize
the
uploaded
file
and
instantiate
arbitrary
PHP
objects.
This
can
lead
to
remote
code
execution
especially
when
snappy
is
used
with
frameworks
with
documented
POP
chains
like
Laravel/Symfony
vulnerable
developer
code.
If
a
user
can
control
the
output
file
from
the
generateFromHtml()
function
it
will
invoke
deserialization.
This
vulnerability
is
capable
of
remote
code
execution
if
Snappy
is
used
with
frameworks
or
developer
code
with
vulnerable
POP
chains.
It
has
been
fixed
in
version
1.4.2.