PrinceXML Wrapper Class Command Injection

2016.07.08
Credit: Brandon Perry
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

While grabbing a copy PrinceXML, I noticed the company also offered some wrapper classes in various languages for using prince in server applications (web applications). http://www.princexml.com/download/wrappers/ <http://www.princexml.com/download/wrappers/> Taking a quick look at the PHP class, there are likely numerous command injection vulnerabilities. I was able to prove a quick PoC out. Some quick googling yielded more results that expected, so PrinceXML and PHP seem kind of popular? <?php ini_set('display_errors', '1'); error_reporting(-1); require 'prince.php'; $exepath='/usr/bin/prince'; $prince= new Prince($exepath); $prince->setHTML(TRUE); $prince->setLog('prince.log'); $xmlPath='/Applications/MAMP/htdocs/test/new`sleep 5`html.html'; $msgs= array(); $convert=$prince->convert_file($xmlPath, $msgs); ?> ?????? Note how $xmlPath has bash ticks in it to call sleep. Passing an attacker-controlled file name to the convert_file function can result in command injection. You can use this safely. Using the temporary file mechanisms in PHP to save the user?s file to a randomly named file on the FS, then passing this random name you can trust to convert_file would be fine. That being said, I have no idea what the common permutations of code is for the PrinceXML PHP library and haven?t looked for any more. It seems obvious there will be more vectors. I haven?t looked at the others. If C# and Java are using the correct classes such as invoking an array of strings as the command and arguments as opposed to a straight up concatenated string, they may be safe. The Rails wrapper seems unofficial. I also started getting really sad while working on this and had to listen to Purple Rain. RIP


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top