GHSA-xg43-5579-qw6v:
PHP 취약성 분석 및 완화
Impact
adawolfa/isdoc reads ISDOC invoices from ISDOCX (ZIP) archives and from PDF files with embedded ISDOC documents and supplements. Affected versions inflate ZIP entries and read embedded files without validating their uncompressed size, so a small crafted file can amplify into gigabytes:
- ISDOCX decompression bomb —
getFromName()inflates the ISDOC document and binary supplements with no size cap. saveTo()disk-fill — the supplement copy loop writes inflated bytes to disk with no running byte budget, so a bomb can exhaust disk even if the central-directory size is under-reported.- PDF embedded files — an embedded file whose declared
Lengthis enormous is read and digested with no upper bound. Exploitation requires the application to parse an attacker-supplied.isdocxor.pdf(the typical use is generating files or parsing files from trusted vendors, so a user must be induced to process a malicious file). When that happens the process can be driven to exhaust memory or disk, causing denial of service. There is no confidentiality or integrity impact — availability only.
Patches
Fixed in 1.4.3, 1.5.1, 1.6.1 and 2.0.0. The readers now:
- read the uncompressed size from the ZIP central directory (
statName()) and reject entries over a cap before inflating — 256 KB (DocumentSizeLimit) for the ISDOC document, 32 MB (SizeLimit) for supplements; - enforce a running byte budget in
saveTo()and unlink the partial file on overflow; - reject PDF-embedded files whose declared
Lengthexceeds 256 MB before reading or digesting them. New exceptionsReaderException::zipEntryTooLarge(),SupplementException::supplementTooLarge()andReaderException::pdfSupplementTooLarge()surface the rejection.
Unsupported versions
Versions before 1.4.0 (the 1.0–1.3 lines) are also affected and will not receive a fix, because they target end-of-life PHP. Users on those lines should upgrade to a maintained release — 1.4.3, 1.5.1, 1.6.1, or 2.0.0.
Workarounds
No code-level workaround exists in affected versions; upgrading is the fix. As mitigation, restrict parsing to trusted input, or enforce an external size / decompression limit (validate ZIP entry sizes, cap process memory) before handing files to the library.
Resources
근원: 네비디(NVD)
관련 PHP 취약점:
무료 취약성 평가
클라우드 보안 태세를 벤치마킹합니다
9개의 보안 도메인에서 클라우드 보안 관행을 평가하여 위험 수준을 벤치마킹하고 방어의 허점을 식별합니다.
추가 Wiz 리소스
맞춤형 데모 받기
맞춤형 데모 신청하기
"내가 본 최고의 사용자 경험은 클라우드 워크로드에 대한 완전한 가시성을 제공합니다."
"Wiz는 클라우드 환경에서 무슨 일이 일어나고 있는지 볼 수 있는 단일 창을 제공합니다."
"우리는 Wiz가 무언가를 중요한 것으로 식별하면 실제로 중요하다는 것을 알고 있습니다."