Twenty Year Anniversary

PrinceXML Wrapper Class Command Injection

PrinceXML Wrapper Class Command Injection
Posted Jul 6, 2016
Authored by Brandon Perry

Wrapper classes provided by PrinceXML appear to suffer from command injection vulnerabilities.

tags | exploit, vulnerability
MD5 | 4ca94581a27f577b94c4c76b397e90dc

PrinceXML Wrapper Class Command Injection

Change Mirror Download
While grabbing a copy PrinceXML, I noticed the company also offered some wrapper classes in various languages for using prince in server applications (web applications).

http://www.princexml.com/download/wrappers/ <http://www.princexml.com/download/wrappers/>

Taking a quick look at the PHP class, there are likely numerous command injection vulnerabilities. I was able to prove a quick PoC out. Some quick googling yielded more results that expected, so PrinceXML and PHP seem kind of popular?

<?php
ini_set('display_errors', '1');
error_reporting(-1);

require 'prince.php';

$exepath='/usr/bin/prince';
$prince= new Prince($exepath);

$prince->setHTML(TRUE);
$prince->setLog('prince.log');

$xmlPath='/Applications/MAMP/htdocs/test/new`sleep 5`html.html';

$msgs= array();
$convert=$prince->convert_file($xmlPath, $msgs);

?>

——————

Note how $xmlPath has bash ticks in it to call sleep. Passing an attacker-controlled file name to the convert_file function can result in command injection.

You can use this safely. Using the temporary file mechanisms in PHP to save the user’s file to a randomly named file on the FS, then passing this random name you can trust to convert_file would be fine. That being said, I have no idea what the common permutations of code is for the PrinceXML PHP library and haven’t looked for any more. It seems obvious there will be more vectors.

I haven’t looked at the others. If C# and Java are using the correct classes such as invoking an array of strings as the command and arguments as opposed to a straight up concatenated string, they may be safe. The Rails wrapper seems unofficial.

I also started getting really sad while working on this and had to listen to Purple Rain. RIP

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    3 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    18 Files
  • 6
    Sep 6th
    18 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    2 Files
  • 9
    Sep 9th
    2 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    17 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    29 Files
  • 14
    Sep 14th
    21 Files
  • 15
    Sep 15th
    3 Files
  • 16
    Sep 16th
    1 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    16 Files
  • 19
    Sep 19th
    29 Files
  • 20
    Sep 20th
    18 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close