Summary
Exploiting URL-to-PDF Functionality for Arbitrary File Read on the Server
Details
WeasyPrint redefines a set of HTML tags, including img, embed, object, and others. The references to several files inside the allow us to attach the content of any webpage or local file to our PDF.
PoC
We generate an HTML file and then upload it to the VPS.
A Python web service is started on the VPS, allowing the target to actively connect to our HTML file.
We will then obtain a PDF file containing the embedded passwd content.
Next, we use the pdfdetach tool to extract the passwd from the PDF file.
Impact
This allows the attacker to read any file on the server, including sensitive files and configuration files. All users utilizing this feature will be affected.
Summary
Exploiting URL-to-PDF Functionality for Arbitrary File Read on the Server
Details
WeasyPrint redefines a set of HTML tags, including img, embed, object, and others. The references to several files inside the allow us to attach the content of any webpage or local file to our PDF.
PoC
We generate an HTML file and then upload it to the VPS.
A Python web service is started on the VPS, allowing the target to actively connect to our HTML file.
We will then obtain a PDF file containing the embedded passwd content.
Next, we use the pdfdetach tool to extract the passwd from the PDF file.
Impact
This allows the attacker to read any file on the server, including sensitive files and configuration files. All users utilizing this feature will be affected.