Exploit: Mpdf

(found in version 7.0) involve manipulating annotation file parameters. The Exploit

: Older versions (e.g., 5.x) had similar flaws where relative paths (like ../../etc/passwd ) could be passed to file-reading functions. 3. Server-Side Request Forgery (SSRF) mpdf exploit

Consider an endpoint that generates a PDF receipt from user-supplied HTML: (found in version 7

mPDF allowed a CSS background-image property to accept not just HTTP/HTTPS URLs, but . Specifically, an attacker could use: but . Specifically

.attacker-class background-image: url('phar:///path/to/uploaded/file.phar/exploit.txt');

When mPDF attempts to read these “images” to embed them, it reads the actual files. The resulting PDF will contain the contents of /etc/passwd or the database credentials. Even if the images fail to render, the data is often present in the PDF’s binary stream or error logs.