SoftVision webPDF Server-Side Request Forgery Vulnerability Allowing Local File Inclusion

A Server-Side Request Forgery (SSRF) vulnerability has been identified in SoftVision webPDF versions prior to 10.0.2. The issue arises in the PDF converter function, which fails to validate whether internal or external resources are being requested in uploaded files. This oversight allows for the inclusion of protocols such as 'http://' and 'file:///'. Consequently, an attacker could upload an XML or HTML file that, when converted to PDF, facilitates internal port scanning and Local File Inclusion (LFI).

Impact

Exploitation of this vulnerability could lead to unauthorized internal network scanning and the ability to read sensitive files from the local file system, depending on the targeted file.

Reproduction

To reproduce this vulnerability, upload an XML or HTML file containing a crafted payload that exploits the SSRF vulnerability by requesting internal resources or files through the 'file://' protocol. Once the file is uploaded, use the webPDF application to convert it to PDF. The conversion process will inadvertently perform the requested actions, such as scanning internal ports or including local files in the PDF.

Remediation

Users are advised to update to webPDF version 10.0.2 or higher. Additionally, implement an allowlist to restrict available protocols to only HTTP and HTTPS, and block requests to internal network segments after resolving the domain.