all things security

PrinceXML Wrapper Class Command Injection

PrinceXML Wrapper Class Command Injection
Posted Jul 6, 2016
Authored by Brandon Perry

Wrapper classes provided by PrinceXML appear to suffer from command injection vulnerabilities.

tags | exploit, vulnerability
MD5 | 4ca94581a27f577b94c4c76b397e90dc

PrinceXML Wrapper Class Command Injection

Change Mirror Download
While grabbing a copy PrinceXML, I noticed the company also offered some wrapper classes in various languages for using prince in server applications (web applications).

http://www.princexml.com/download/wrappers/ <http://www.princexml.com/download/wrappers/>

Taking a quick look at the PHP class, there are likely numerous command injection vulnerabilities. I was able to prove a quick PoC out. Some quick googling yielded more results that expected, so PrinceXML and PHP seem kind of popular?

<?php
ini_set('display_errors', '1');
error_reporting(-1);

require 'prince.php';

$exepath='/usr/bin/prince';
$prince= new Prince($exepath);

$prince->setHTML(TRUE);
$prince->setLog('prince.log');

$xmlPath='/Applications/MAMP/htdocs/test/new`sleep 5`html.html';

$msgs= array();
$convert=$prince->convert_file($xmlPath, $msgs);

?>

——————

Note how $xmlPath has bash ticks in it to call sleep. Passing an attacker-controlled file name to the convert_file function can result in command injection.

You can use this safely. Using the temporary file mechanisms in PHP to save the user’s file to a randomly named file on the FS, then passing this random name you can trust to convert_file would be fine. That being said, I have no idea what the common permutations of code is for the PrinceXML PHP library and haven’t looked for any more. It seems obvious there will be more vectors.

I haven’t looked at the others. If C# and Java are using the correct classes such as invoking an array of strings as the command and arguments as opposed to a straight up concatenated string, they may be safe. The Rails wrapper seems unofficial.

I also started getting really sad while working on this and had to listen to Purple Rain. RIP

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    8 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close