138 lines
No EOL
4.4 KiB
Text
Executable file
138 lines
No EOL
4.4 KiB
Text
Executable file
Advisory: Remote Code Execution in TYPO3 Extension ke_dompdf
|
||
|
||
During a penetration test RedTeam Pentesting discovered a remote code
|
||
execution vulnerability in the TYPO3 extension ke_dompdf, which allows
|
||
attackers to execute arbitrary PHP commands in the context of the
|
||
webserver.
|
||
|
||
|
||
Details
|
||
=======
|
||
|
||
Product: ke_dompdf TYPO3 extension
|
||
Affected Versions: 0.0.3<=
|
||
Fixed Versions: 0.0.5
|
||
Vulnerability Type: Remote Code Execution
|
||
Security Risk: high
|
||
Vendor URL: http://typo3.org/extensions/repository/view/ke_dompdf
|
||
Vendor Status: fixed version released
|
||
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-007
|
||
Advisory Status: published
|
||
CVE: CVE-2014-6235
|
||
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6235
|
||
|
||
|
||
Introduction
|
||
============
|
||
|
||
"DomPDF library and a small pi1 to show how to use DomPDF to render the
|
||
current typo3-page to pdf."
|
||
(taken from the extension's description)
|
||
|
||
|
||
More Details
|
||
============
|
||
|
||
The TYPO3 extension ke_dompdf contains a version of the dompdf library
|
||
including all files originally supplied with it. This includes an
|
||
examples page, which contains different examples for HTML-entities
|
||
rendered as a PDF. This page also allows users to enter their own HTML
|
||
code into a text box to be rendered by the webserver using dompdf.
|
||
dompdf also supports rendering of PHP files and the examples page also
|
||
accepts PHP code tags, which are then executed and rendered into a PDF
|
||
on the server.
|
||
|
||
Since those files are not protected in the TYPO3 extension directory,
|
||
anyone can access this URL and execute arbitrary PHP code on the system.
|
||
This behaviour was already fixed in the dompdf library, but the typo3
|
||
extension ke_dompdf supplies an old version of the library that still
|
||
allows the execution of arbitrary PHP code.
|
||
|
||
|
||
Proof of Concept
|
||
================
|
||
|
||
Access examples.php on the vulnerable system:
|
||
http://www.example.com/typo3conf/ext/ke_dompdf/res/dompdf/www/examples.php
|
||
|
||
Enter PHP code in the text box on the bottom of the page and click the
|
||
submit button, for example:
|
||
|
||
------------------------------------------------------------------------
|
||
<?php phpinfo() ?>
|
||
------------------------------------------------------------------------
|
||
|
||
The page will return a PDF file containing the output of the PHP code.
|
||
|
||
|
||
Workaround
|
||
==========
|
||
|
||
Remove the directory "www" containing the examples.php file or at least
|
||
the examples.php file from the extensions' directory.
|
||
|
||
|
||
Fix
|
||
===
|
||
|
||
Update to version 0.0.5 of the extension.
|
||
|
||
|
||
Security Risk
|
||
=============
|
||
|
||
high
|
||
|
||
|
||
Timeline
|
||
========
|
||
|
||
2014-04-21 Vulnerability identified
|
||
2014-04-30 Customer approved disclosure to vendor
|
||
2014-05-06 CVE number requested
|
||
2014-05-10 CVE number assigned
|
||
2014-05-13 Vendor notified
|
||
2014-05-20 Vendor works with TYPO3 security team on a fix
|
||
2014-09-02 Vendor released fixed version [2]
|
||
2014-12-01 Advisory released
|
||
|
||
|
||
References
|
||
==========
|
||
|
||
The TYPO3 extension ke_dompdf contains an old version of the dompdf
|
||
library, which contains an example file that can be used to execute
|
||
arbitrary commands. This vulnerability was fixed in dompdf in 2010. The
|
||
relevant change can be found in the github repository of dompdf:
|
||
|
||
[1] https://github.com/dompdf/dompdf/commit/
|
||
e75929ac6393653a56e84dffc9eac1ce3fb90216
|
||
|
||
TYPO3-EXT-SA-2014-010: Several vulnerabilities in third party extensions:
|
||
|
||
[2] http://typo3.org/teams/security/security-bulletins/typo3-extensions/
|
||
typo3-ext-sa-2014-010/
|
||
|
||
|
||
RedTeam Pentesting GmbH
|
||
=======================
|
||
|
||
RedTeam Pentesting offers individual penetration tests, short pentests,
|
||
performed by a team of specialised IT-security experts. Hereby, security
|
||
weaknesses in company networks or products are uncovered and can be
|
||
fixed immediately.
|
||
|
||
As there are only few experts in this field, RedTeam Pentesting wants to
|
||
share its knowledge and enhance the public knowledge with research in
|
||
security-related areas. The results are made available as public
|
||
security advisories.
|
||
|
||
More information about RedTeam Pentesting can be found at
|
||
https://www.redteam-pentesting.de.
|
||
|
||
--
|
||
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
|
||
Dennewartstr. 25-27 Fax : +49 241 510081-99
|
||
52068 Aachen https://www.redteam-pentesting.de
|
||
Germany Registergericht: Aachen HRB 14004
|
||
Gesch<EFBFBD>ftsf<EFBFBD>hrer: Patrick Hof, Jens Liebchen |