Spatie Browsershot Improper Input Validation Vulnerability Allowing Arbitrary File Read

A vulnerability exists in the Spatie Browsershot package, specifically in versions prior to 5.0.5, due to improper input validation in the setHtml function. This vulnerability can be exploited by bypassing the validation of file URI schemes in the HTML content, allowing for arbitrary file reads from the server's file system. The issue arises because the Same-origin policy does not restrict local file references when the origin is a local HTML document.

Impact

Exploitation of this vulnerability allows for arbitrary file read on the system where Browsershot is used, potentially leading to exposure of sensitive files like the passwd file. Additionally, this vulnerability can be exploited to list system directories.

Reproduction

To reproduce this vulnerability, use Spatie Browsershot version 5.0.3 or earlier. The vulnerability can be triggered by crafting an HTML object or iframe element that references a local file using the file URI scheme. This crafted HTML can then be passed to the Browsershot::html() function, which will process the file reference and read the specified file from the server's file system. The read file can be saved as a PDF, demonstrating the exploitation of the vulnerability.

Remediation

Users can upgrade to Spatie Browsershot version 5.0.5 or higher, where this vulnerability has been addressed.