Site cover image

Site icon image vicevirus’ Blog

Yo, welcome to my blog! I write tech stuff and play CTFs for fun. (still a noob)

2024-12-12
cve CVE-2024-21544 browsershot spatie

🔎 spatie/browsershot ≤ 5.0.0: Improper Input Validation Leading to Local File Read (LFR) CVE-2024-21544

Summary

A vulnerability in spatie/browsershot allows an attacker to bypass the URL validation check in the setUrl method by using leading whitespace (%20) before the file:// protocol. This bypass enables Local File Read (LFR), allowing attackers to read sensitive files on the server, such as /etc/passwd. The vulnerability is due to improper input validation in the URL parsing logic.

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

8.7 / High

Affected versions

spatie/browsershot <= 5.0.0

Fixed versions

The issue has been addressed and fixed in version 5.0.1 of spatie/browsershot. Users are strongly advised to update to this version or later to mitigate the vulnerability.

Details

Version 5.0.0 of spatie/browsershot contains an improper input validation in the setUrl method, which has been present in the codebase and allows attackers to bypass the URL validation logic. This flaw enables Local File Read (LFR) by exploiting improper input validation when handling URLs. Specifically, the vulnerability lies in the failure to sanitize input properly, allowing variations such as leading whitespace (%20), tab characters (\t), or newline characters (\n) to bypass the file:// protocol restriction.

The vulnerability lies in the following code snippet, where leading whitespace and encoded inputs are not normalized or trimmed before performing the validation:

(src/Browsershot.php) 

// https://github.com/spatie/browsershot/blob/1e212b596c104138550ed4ef1b9977d8df570c67/src/Browsershot.php#L260-L262

public function setUrl(string $url): static
{
    if (str_starts_with(strtolower($url), 'file://') || str_starts_with(strtolower($url), 'file:/')) {
        throw FileUrlNotAllowed::make();
    }

    $this->url = $url;
    $this->html = '';

    return $this;
}
Root Cause:
  • The str_starts_with function does not account for leading whitespace, %20, or other encoded characters that may precede the file:// scheme.
  • Input like %20file:// is not rejected, bypassing the validation.
Example Exploitation:

Attackers can craft payloads using variations like:

  • %20file://...
  • \tfile://...
  • \nfile://...

These payloads bypass validation, allowing Local File Read (LFR) attacks.

Recommendation

Update to the Latest Version

The vulnerability has been fixed in version 5.0.1. Update to this version or later by running: 

composer require spatie/browsershot:^5.0.1

Timeline

  • 10 December 2024 - Discovered the vulnerability and reported it to maintainer.
  • 11 December 2024 - Maintainer acknowledged and pushed the fix in version 5.0.1.
  • 12 December 2024 - Assigned CVE-2024-21544 by SNYK.

References

https://github.com/spatie/browsershot
https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8496745

https://www.kb.cert.org/vuls/id/127587

cve CVE-2024-21544 browsershot spatie