CVE-2023-41330 Information

Description

knplabs/knp-snappy is a PHP library allowing thumbnail snapshot or PDF generation from a url or a html page. Issue

On March 17th the vulnerability CVE-2023-28115 was disclosed allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check if (\strpos($filename 'phar://') === 0) in the prepareOutput function to resolve this CVE however if the user is able to control the second parameter of the generateFromHtml() function of Snappy it will then be passed as the $filename parameter in the prepareOutput() function. In the original vulnerability a file name with a phar:// wrapper could be sent to the fileExists() function equivalent to the file_exists() PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue the string is now passed to the strpos() function and if it starts with phar:// an exception is raised. However PHP wrappers being case insensitive this patch can be bypassed using PHAR:// instead of phar://. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit d3b742d61a which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the AbstractGenerator->generate(...) function.

Reference

https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67e knplabs/knp-snappy is a PHP library allowing thumbnail snapshot or PDF generation from a url or a html page.

Issue

On March 17th the vulnerability CVE-2023-28115 was disclosed allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\strpos($filename ‘phar://’)

0)in theprepareOutputfunction to resolve this CVE however if the user is able to control the second parameter of thegenerateFromHtml()function of Snappy it will then be passed as the$filenameparameter in theprepareOutput()function. In the original vulnerability a file name with aphar://wrapper could be sent to thefileExists()function equivalent to thefile_exists()PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue the string is now passed to thestrpos()function and if it starts withphar://an exception is raised. However PHP wrappers being case insensitive this patch can be bypassed usingPHAR://instead ofphar://. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit d3b742d61awhich has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to theAbstractGenerator->generate(…)` function.