mPDF: Remote Code Execution Vulnerability

This commit mitigates insufficient validation in mPDF library that enables a malicious intruder to inject arbitrary PHP objects via css @import utility that may result in Remote Code Execution.

mPDF: Remote Code Execution Vulnerability
This commit mitigates insufficient validation in mPDF library that enables a malicious intruder to inject arbitrary PHP objects via css @import utility that may result in Remote Code Execution.
6e039ab7 · Peter Rotich · 9951125e · 6e039ab7 · 6e039ab7
Commit 6e039ab7 authored 5 years ago by Peter Rotich
--- a/include/class.pdf.php
+++ b/include/class.pdf.php
@@ -19,6 +19,9 @@ define('THIS_DIR', str_replace('\\', '/', Misc::realpath(dirname(__FILE__))) . '

 require_once(INCLUDE_DIR.'mpdf/vendor/autoload.php');

+// unregister phar stream to mitigate vulnerability in mpdf library
+@stream_wrapper_unregister('phar');
+
 class mPDFWithLocalImages extends Mpdf {
    function WriteHtml($html, $sub = 0, $init = true, $close = true) {
        static $filenumber = 1;

--- a/include/mpdf/vendor/mpdf/mpdf/src/CssManager.php
+++ b/include/mpdf/vendor/mpdf/mpdf/src/CssManager.php
@@ -2224,6 +2224,17 @@ class CssManager
 			$path = preg_replace('/\.css\?.*$/', '.css', $path);
 		}

+        /*** Start osTicket Security Patch ***/
+
+        // Make sure only schemes allowed are http & https - this is to
+        // neutralize phar:// attack
+        $scheme = parse_url($path, PHP_URL_SCHEME);
+        if ($scheme && !in_array(strtolower($scheme), ['http', 'https']))
+            return '';
+
+        /*** End osTicket Security Patch ***/
+
+
 		$contents = @file_get_contents($path);

 		if ($contents) {