Path Traversal in lampnick/doctron


Reported on

Sep 4th 2021

✍️ Description

doctron is a golang tool that helps conversion of HTML to PDF or image. The input doesn't validate if it's a valid web URL. Trying to access local files using file:/// work. This allows getting a screenshot/PDF of the sensitive files on the system.

🕵️‍♂️ Proof of Concept

A demo version of the tool is hosted at Visit the website, enter input file:///etc/passwd and click html2pdf basic. You will see the contents of /etc/passwd in the newly generated PDF.

💥 Impact

This vulnerability is capable of reading files on the server it is hosted.

We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the lampnick/doctron team and are waiting to hear back a year ago
lampnick validated this vulnerability a year ago
Hack with GitHub has been awarded the disclosure bounty
The fix bounty is now up for grabs
lampnick confirmed that a fix has been merged on fffe90 a year ago
The fix bounty has been dropped
to join this conversation