InvoiceShelf Server-Side Request Forgery Vulnerability in PDF Receipt Generation

A Server-Side Request Forgery (SSRF) vulnerability has been identified in InvoiceShelf versions prior to 2.2.0, specifically within the Payment receipt PDF generation module. This vulnerability arises because user-supplied HTML in the payment Notes field is transmitted without proper sanitization to the Dompdf rendering library. Dompdf then fetches any remote resources referenced in the HTML. The vulnerability can be exploited directly through the PDF receipt endpoint, regardless of whether automated email attachments are activated.

Impact

Exploitation of this vulnerability allows for internal reconnaissance, probing of internal services and ports not exposed to the public internet. It could also lead to sensitive data leakage by reading local files via the 'file://' wrapper if enabled in Dompdf, access to cloud metadata endpoints (such as AWS or GCP) to steal credentials, and potentially remote code execution if 'isPhpEnabled' is set to true in Dompdf, allowing execution of embedded PHP in the HTML markup.

Reproduction

To reproduce this vulnerability, create or update a payment record by injecting a payload into the Notes field that includes a reference to an external resource, such as an image hosted on an attacker-controlled server. After saving the payment, request the PDF receipt through the payments/pdf/{payment:unique_hash} endpoint. The Dompdf library will fetch the external resource, demonstrating the SSRF vulnerability.

Remediation

Users are advised to upgrade to InvoiceShelf version 2.2.0, which addresses the vulnerability by sanitizing HTML input in the Notes field before PDF rendering.