InvoiceShelf Server-Side Request Forgery Vulnerability in PDF Generation Module

A Server-Side Request Forgery (SSRF) vulnerability has been identified in InvoiceShelf versions prior to 2.2.0, within the Invoice PDF generation module. The vulnerability arises because user-supplied HTML in the invoice Notes field is transmitted unsanitized to the Dompdf rendering library. Dompdf then fetches any remote resources referenced in the markup. This issue can be exploited through the PDF preview and email delivery endpoints.

Impact

Exploitation of this vulnerability allows for internal reconnaissance, probing of internal services and ports not exposed to the public internet. It also poses a risk of sensitive data leakage, with the potential to read local files via the 'file://' wrapper if enabled in Dompdf. Additionally, access to cloud metadata could be exploited to steal credentials from cloud metadata endpoints, such as AWS or GCP. Furthermore, if 'isPhpEnabled' is set to true in Dompdf, remote code execution could be achieved by embedding PHP in the HTML markup.

Reproduction

To reproduce this vulnerability, create or update an invoice and inject a payload into the Notes field that includes a reference to an external resource, such as an image hosted on an attacker-controlled server. Then, trigger the invoice email delivery or access the PDF preview endpoint. The Dompdf library will parse the injected HTML, fetch the referenced resource, and the request will be logged on the attacker-controlled server, indicating successful exploitation.

Remediation

Users are advised to upgrade to InvoiceShelf version 2.2.0, which addresses the vulnerability by sanitizing HTML input in the Notes field before it is rendered in the PDF.