Typo3 pdf_generator2 - OS Command injection
2011-10-17
| Risk | High |
| Impact | OS command injection |
| Affected Software | pdf_generator2 |
| Locally exploitable | No |
| Remotely exploitable | Yes |
| Viewed | 303 times |
Technical description
Dotsafe has a found a vulnerability in a typo3 extension named pdf_generator2 which could be exploited by malicious people to remotely execute os command.
Input passed via the "pdfversion" parameter through pdf_generator2 (if "ps2pdf" is set to 1) to html2ps/html2ps.php is not properly sanitised before being used in exec function. This can be exploited to execute arbitrary OS command.
The vulnerability is confirmed in version 0.21.0. Prior versions may also be affected.
We don't receive any news from the typo3 security team since a year, so we disclose the vulnerability details.
Details
./html2ps/html2ps.php:31
$g_config = array(
'cssmedia' => isset($_REQUEST['cssmedia']) ? $_REQUEST['cssmedia'] : "screen",
'media' => isset($_REQUEST['media']) ? $_REQUEST['media'] : "A4",
'scalepoints' => isset($_REQUEST['scalepoints']),
'renderimages' => isset($_REQUEST['renderimages']),
'renderfields' => isset($_REQUEST['renderfields']),
'renderforms' => isset($_REQUEST['renderforms']),
'pslevel' => isset($_REQUEST['pslevel']) ? $_REQUEST['pslevel'] : 3,
'renderlinks' => isset($_REQUEST['renderlinks']),
'pagewidth' => isset($_REQUEST['pixels']) ? (int)$_REQUEST['pixels'] : 800,
'landscape' => isset($_REQUEST['landscape']),
'method' => isset($_REQUEST['method']) ? $_REQUEST['method'] : "fpdf" ,
'margins' => array(
'left' => isset($_REQUEST['leftmargin']) ? (int)$_REQUEST['leftmargin'] : 0,
'right' => isset($_REQUEST['rightmargin']) ? (int)$_REQUEST['rightmargin'] : 0,
'top' => isset($_REQUEST['topmargin']) ? (int)$_REQUEST['topmargin'] : 0,
'bottom' => isset($_REQUEST['bottommargin']) ? (int)$_REQUEST['bottommargin'] : 0
),
'encoding' => isset($_REQUEST['encoding']) ? $_REQUEST['encoding'] : "",
'ps2pdf' => isset($_REQUEST['ps2pdf']),
'compress' => isset($_REQUEST['compress']),
'output' => isset($_REQUEST['output']) ? $_REQUEST['output'] : 0,
'pdfversion' => isset($_REQUEST['pdfversion']) ? $_REQUEST['pdfversion'] : "1.2",
'transparency_workaround' => isset($_REQUEST['transparency_workaround']),
'imagequality_workaround' => isset($_REQUEST['imagequality_workaround']),
'draw_page_border' => isset($_REQUEST['pageborder']),
'debugbox' => isset($_REQUEST['debugbox']),
'html2xhtml' => !isset($_REQUEST['html2xhtml']),
'mode' => 'html'
);
./html2ps/html2ps.php:160
if ($g_config['ps2pdf']) {
$pipeline->output_filters[] = new OutputFilterPS2PDF($g_config['pdfversion']);
}
./html2ps/filter.output.ps2pdf.class.php:40
function OutputFilterPS2PDF($pdf_version) {
$this->pdf_version = $pdf_version;
}
./html2ps/filter.output.ps2pdf.class.php:36
function _mk_cmd($filename) {
return GS_PATH." -dNOPAUSE -dBATCH -dEmbedAllFonts=true -dCompatibilityLevel=".$this->pdf_version." -sDEVICE=pdfwrite -sOutputFile=".$filename.".pdf ".$filename;
}
./html2ps/filter.output.ps2pdf.class.php:44
function process($tmp_filename) {
$pdf_file = $tmp_filename.'.pdf';
safe_exec($this->_mk_cmd($tmp_filename), $output);
./html2ps/filter.output.ps2pdf.class.php:3
function safe_exec($cmd, &$output) {
exec($cmd, $output, $result);
Solution
Edit ./html2ps/filter.output.ps2pdf.class.php
function OutputFilterPS2PDF($pdf_version) {
- $this->pdf_version = $pdf_version;
+ $this->pdf_version = preg_replace("#[^\.\d]#", "", $pdf_version);
}
 |
Need help ? DOTSAFE is able to check and patch your system. Please contact us . |
 |
Anteater Project Vulnerability discovered by the AntEater project Learn more about Anteater project. |
Protéger votre site avec DOTSAFE Protector
On vous rappelle ?
Indiquez votre numéro de téléphone
ainsi que la tranche horaire où vous êtes disponible. Nous vous appellerons dans les plus brefs délais
Actualités
- 30-07-2010 Sécurité de Typo3 & entropie de rand()
- 28-07-2010 Décompilation d'application flash
- 06-04-2010 Les 9 objections à la sécurité des sites internet - Développement externalisé