lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 5 Jul 2016 08:30:34 -0500
From: Brandon Perry <>
Subject: [FD] PrinceXML PHP wrapper command injection

While grabbing a copy PrinceXML, I noticed the company also offered some wrapper classes in various languages for using prince in server applications (web applications). <>

Taking a quick look at the PHP class, there are likely numerous command injection vulnerabilities. I was able to prove a quick PoC out. Some quick googling yielded more results that expected, so PrinceXML and PHP seem kind of popular?

ini_set('display_errors', '1');

require 'prince.php';

$prince= new Prince($exepath);


$xmlPath='/Applications/MAMP/htdocs/test/new`sleep 5`html.html';

$msgs= array();
$convert=$prince->convert_file($xmlPath, $msgs);



Note how $xmlPath has bash ticks in it to call sleep. Passing an attacker-controlled file name to the convert_file function can result in command injection.

You can use this safely. Using the temporary file mechanisms in PHP to save the user’s file to a randomly named file on the FS, then passing this random name you can trust to convert_file would be fine. That being said, I have no idea what the common permutations of code is for the PrinceXML PHP library and haven’t looked for any more. It seems obvious there will be more vectors.

I haven’t looked at the others. If C# and Java are using the correct classes such as invoking an array of strings as the command and arguments as opposed to a straight up concatenated string, they may be safe. The Rails wrapper seems unofficial.

I also started getting really sad while working on this and had to listen to Purple Rain. RIP

Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists