Stirling-PDF Server-Side Request Forgery-Induced Arbitrary File Read Vulnerability

A server-side request forgery (SSRF) vulnerability allowing arbitrary file read has been identified in Stirling-PDF versions prior to 0.45.0. This vulnerability arises from the application's URL-to-PDF functionality, which can be exploited to read any file on the server, including sensitive and configuration files. The issue is related to how WeasyPrint, a PDF rendering library used by Stirling-PDF, handles certain HTML tags. By embedding references to local files or external webpages, an attacker can manipulate the PDF generation process to include unauthorized file contents.

Impact

Exploitation of this vulnerability allows for unauthorized reading of any file on the server, with a particular risk to sensitive and configuration files.

Reproduction

To reproduce this vulnerability, upload an HTML file that references local files or content from external webpages into the Stirling-PDF application. The application will process the file and generate a PDF that includes the embedded content. This can be done by exploiting the WeasyPrint PDF generation feature, which is vulnerable to SSRF attacks. Once the PDF is created, extract the embedded files using a PDF attachment extraction tool.

Remediation

Users are advised to update to Stirling-PDF version 0.45.0 or later, where this vulnerability has been patched.