Skip to content
cyberexploits
webappphptext

TYPO3 ke DomPDF Extension - Remote Code Execution

TYPO3 ke DomPDF Extension - Remote Code Execution

Published on 2014-12-02

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/35443.txt7eac4c3a
raw
Advisory: Remote Code Execution in TYPO3 Extension ke_dompdf



During a penetration test RedTeam Pentesting discovered a remote code

execution vulnerability in the TYPO3 extension ke_dompdf, which allows

attackers to execute arbitrary PHP commands in the context of the

webserver. 





Details

=======



Product: ke_dompdf TYPO3 extension

Affected Versions: 0.0.3<=

Fixed Versions: 0.0.5

Vulnerability Type: Remote Code Execution

Security Risk: high

Vendor URL: http://typo3.org/extensions/repository/view/ke_dompdf

Vendor Status: fixed version released

Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-007

Advisory Status: published

CVE: CVE-2014-6235

CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6235





Introduction

============



"DomPDF library and a small pi1 to show how to use DomPDF to render the

current typo3-page to pdf."

(taken from the extension's description)





More Details

============



The TYPO3 extension ke_dompdf contains a version of the dompdf library

including all files originally supplied with it. This includes an

examples page, which contains different examples for HTML-entities

rendered as a PDF.  This page also allows users to enter their own HTML

code into a text box to be rendered by the webserver using dompdf.

dompdf also supports rendering of PHP files and the examples page also

accepts PHP code tags, which are then executed and rendered into a PDF

on the server.



Since those files are not protected in the TYPO3 extension directory,

anyone can access this URL and execute arbitrary PHP code on the system.

This behaviour was already fixed in the dompdf library, but the typo3

extension ke_dompdf supplies an old version of the library that still

allows the execution of arbitrary PHP code.





Proof of Concept

================



Access examples.php on the vulnerable system:

http://www.example.com/typo3conf/ext/ke_dompdf/res/dompdf/www/examples.php



Enter PHP code in the text box on the bottom of the page and click the

submit button, for example:



------------------------------------------------------------------------

<?php phpinfo() ?>

------------------------------------------------------------------------



The page will return a PDF file containing the output of the PHP code.





Workaround

==========



Remove the directory "www" containing the examples.php file or at least

the examples.php file from the extensions' directory.





Fix

===



Update to version 0.0.5 of the extension.





Security Risk

=============



high





Timeline

========



2014-04-21 Vulnerability identified

2014-04-30 Customer approved disclosure to vendor

2014-05-06 CVE number requested

2014-05-10 CVE number assigned

2014-05-13 Vendor notified

2014-05-20 Vendor works with TYPO3 security team on a fix

2014-09-02 Vendor released fixed version [2]

2014-12-01 Advisory released





References

==========



The TYPO3 extension ke_dompdf contains an old version of the dompdf

library, which contains an example file that can be used to execute

arbitrary commands.  This vulnerability was fixed in dompdf in 2010. The

relevant change can be found in the github repository of dompdf:



[1] https://github.com/dompdf/dompdf/commit/

    e75929ac6393653a56e84dffc9eac1ce3fb90216



TYPO3-EXT-SA-2014-010: Several vulnerabilities in third party extensions:



[2] http://typo3.org/teams/security/security-bulletins/typo3-extensions/

    typo3-ext-sa-2014-010/





RedTeam Pentesting GmbH

=======================



RedTeam Pentesting offers individual penetration tests, short pentests,

performed by a team of specialised IT-security experts. Hereby, security

weaknesses in company networks or products are uncovered and can be

fixed immediately.



As there are only few experts in this field, RedTeam Pentesting wants to

share its knowledge and enhance the public knowledge with research in

security-related areas. The results are made available as public

security advisories.



More information about RedTeam Pentesting can be found at

https://www.redteam-pentesting.de.



-- 

RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0

Dennewartstr. 25-27                       Fax : +49 241 510081-99

52068 Aachen                    https://www.redteam-pentesting.de

Germany                         Registergericht: Aachen HRB 14004

Geschäftsführer:                       Patrick Hof, Jens Liebchen
View on GitHub