InvoiceShelf Server-Side Request Forgery Vulnerability in PDF Generation Module

A Server-Side Request Forgery (SSRF) vulnerability has been identified in InvoiceShelf versions prior to 2.2.0, specifically within the Estimate PDF generation module. This vulnerability arises because user-supplied HTML in the estimate Notes field is transmitted unsanitized to the Dompdf rendering library. Dompdf then fetches any remote resources referenced in the HTML, such as images or stylesheets. The vulnerability can be exploited directly through the PDF preview and customer view endpoints, regardless of whether automated email attachments are activated.

Impact

Exploitation of this vulnerability allows for internal reconnaissance, probing of internal services and ports not exposed to the public internet, and potential leakage of sensitive data. If the Dompdf configuration allows, it could also enable reading local files via the file:// wrapper, access to cloud metadata credentials, and remote code execution by embedding PHP in the HTML markup.

Reproduction

To reproduce this vulnerability, create or update an estimate by injecting a payload into the Notes field that includes a reference to an asset on an attacker-controlled server. Then, access the PDF through the admin preview or customer view endpoint. The request for the injected asset will be made by Dompdf, indicating successful exploitation.

Remediation

Users are advised to upgrade to InvoiceShelf version 2.2.0, which addresses the vulnerability by sanitizing HTML input in the Notes field before PDF rendering.