138 lines
No EOL
4.2 KiB
Text
138 lines
No EOL
4.2 KiB
Text
Advisory: Remote Code Execution in TYPO3 Extension ke_dompdf
|
|
|
|
During a penetration test RedTeam Pentesting discovered a remote code
|
|
execution vulnerability in the TYPO3 extension ke_dompdf, which allows
|
|
attackers to execute arbitrary PHP commands in the context of the
|
|
webserver.
|
|
|
|
|
|
Details
|
|
=======
|
|
|
|
Product: ke_dompdf TYPO3 extension
|
|
Affected Versions: 0.0.3<=
|
|
Fixed Versions: 0.0.5
|
|
Vulnerability Type: Remote Code Execution
|
|
Security Risk: high
|
|
Vendor URL: http://typo3.org/extensions/repository/view/ke_dompdf
|
|
Vendor Status: fixed version released
|
|
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-007
|
|
Advisory Status: published
|
|
CVE: CVE-2014-6235
|
|
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6235
|
|
|
|
|
|
Introduction
|
|
============
|
|
|
|
"DomPDF library and a small pi1 to show how to use DomPDF to render the
|
|
current typo3-page to pdf."
|
|
(taken from the extension's description)
|
|
|
|
|
|
More Details
|
|
============
|
|
|
|
The TYPO3 extension ke_dompdf contains a version of the dompdf library
|
|
including all files originally supplied with it. This includes an
|
|
examples page, which contains different examples for HTML-entities
|
|
rendered as a PDF. This page also allows users to enter their own HTML
|
|
code into a text box to be rendered by the webserver using dompdf.
|
|
dompdf also supports rendering of PHP files and the examples page also
|
|
accepts PHP code tags, which are then executed and rendered into a PDF
|
|
on the server.
|
|
|
|
Since those files are not protected in the TYPO3 extension directory,
|
|
anyone can access this URL and execute arbitrary PHP code on the system.
|
|
This behaviour was already fixed in the dompdf library, but the typo3
|
|
extension ke_dompdf supplies an old version of the library that still
|
|
allows the execution of arbitrary PHP code.
|
|
|
|
|
|
Proof of Concept
|
|
================
|
|
|
|
Access examples.php on the vulnerable system:
|
|
http://www.example.com/typo3conf/ext/ke_dompdf/res/dompdf/www/examples.php
|
|
|
|
Enter PHP code in the text box on the bottom of the page and click the
|
|
submit button, for example:
|
|
|
|
------------------------------------------------------------------------
|
|
<?php phpinfo() ?>
|
|
------------------------------------------------------------------------
|
|
|
|
The page will return a PDF file containing the output of the PHP code.
|
|
|
|
|
|
Workaround
|
|
==========
|
|
|
|
Remove the directory "www" containing the examples.php file or at least
|
|
the examples.php file from the extensions' directory.
|
|
|
|
|
|
Fix
|
|
===
|
|
|
|
Update to version 0.0.5 of the extension.
|
|
|
|
|
|
Security Risk
|
|
=============
|
|
|
|
high
|
|
|
|
|
|
Timeline
|
|
========
|
|
|
|
2014-04-21 Vulnerability identified
|
|
2014-04-30 Customer approved disclosure to vendor
|
|
2014-05-06 CVE number requested
|
|
2014-05-10 CVE number assigned
|
|
2014-05-13 Vendor notified
|
|
2014-05-20 Vendor works with TYPO3 security team on a fix
|
|
2014-09-02 Vendor released fixed version [2]
|
|
2014-12-01 Advisory released
|
|
|
|
|
|
References
|
|
==========
|
|
|
|
The TYPO3 extension ke_dompdf contains an old version of the dompdf
|
|
library, which contains an example file that can be used to execute
|
|
arbitrary commands. This vulnerability was fixed in dompdf in 2010. The
|
|
relevant change can be found in the github repository of dompdf:
|
|
|
|
[1] https://github.com/dompdf/dompdf/commit/
|
|
e75929ac6393653a56e84dffc9eac1ce3fb90216
|
|
|
|
TYPO3-EXT-SA-2014-010: Several vulnerabilities in third party extensions:
|
|
|
|
[2] http://typo3.org/teams/security/security-bulletins/typo3-extensions/
|
|
typo3-ext-sa-2014-010/
|
|
|
|
|
|
RedTeam Pentesting GmbH
|
|
=======================
|
|
|
|
RedTeam Pentesting offers individual penetration tests, short pentests,
|
|
performed by a team of specialised IT-security experts. Hereby, security
|
|
weaknesses in company networks or products are uncovered and can be
|
|
fixed immediately.
|
|
|
|
As there are only few experts in this field, RedTeam Pentesting wants to
|
|
share its knowledge and enhance the public knowledge with research in
|
|
security-related areas. The results are made available as public
|
|
security advisories.
|
|
|
|
More information about RedTeam Pentesting can be found at
|
|
https://www.redteam-pentesting.de.
|
|
|
|
--
|
|
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
|
|
Dennewartstr. 25-27 Fax : +49 241 510081-99
|
|
52068 Aachen https://www.redteam-pentesting.de
|
|
Germany Registergericht: Aachen HRB 14004
|
|
Geschäftsführer: Patrick Hof, Jens Liebchen |