Path Traversal in lampnick/doctron
Sep 4th 2021
doctron is a golang tool that helps conversion of HTML to PDF or image. The input doesn't validate if it's a valid web URL. Trying to access local files using
file:/// work. This allows getting a screenshot/PDF of the sensitive files on the system.
🕵️♂️ Proof of Concept
A demo version of the tool is hosted at https://doctron.lampnick.com. Visit the website, enter input
file:///etc/passwd and click
html2pdf basic. You will see the contents of
/etc/passwd in the newly generated PDF.
This vulnerability is capable of reading files on the server it is hosted.