[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pdflib long filename multiple bufferoverflows

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: pdflib long filename multiple bufferoverflows
From: poplix <poplix@xxxxxxxxxxxx>
Date: Sun, 23 Dec 2007 00:01:03 +0100

hi,

pdflib, a library for generating PDF on the fly, avilable at http://www.pdflib.com, is vulnerable to multiple bufferoverflows due to amisuse of strcpy().An attacker can exploit this issue to execute arbitrary code or tocrash the application that uses the library.One of the vulnerable functions is pdc_fsearch_fopen() that iscalled, for example, by PDF_load_image() which overflows a stackbuffer if a long filename is provided.The php wrapper for pdflib (pecl extension) is also vulnerable soplease take care of allowing users to generate custom pdfs from webapps.


this is a proof-of-concept that crashes php:
<?php
.....
PDF_load_image($p,"jpeg",str_repeat("A",1100), null);

?>

The developers have been warned and they plained to fix those bugs inthe next release.



cheers,
-poplix
http://px.dynalias.org

Prev by Date: Re: Re: Moodle SQL Injection
Next by Date: Logaholic Web Analytics Software
Previous by thread: Re: [HSC] Dokeos Multiple Cross-Site Scripting Vulnerabilities
Next by thread: Logaholic Web Analytics Software
Index(es):
- Date
- Thread