📅 [ Archival Date ]
Dec 7, 2022 7:52 PM
⚠️ [ ORIGIN SOURCE ]
🏷️ [ Tags ]
pdfkitruby
✍️ [ Author ]
Benoit Côté-Jodoin
💣 [ PoC / Exploit ]
INTRODUCED: 14 JUN 2022
How to fix?Upgrade
pdfkit
to version 0.8.7 or higher.
Overview
Affected versions of this package are vulnerable to Command Injection where the URL is not properly sanitized.
PoC:
An application could be vulnerable if it tries to render a URL that contains query string parameters with user input:
Calling to_pdf
on the instance shows that the sleep
command is indeed executing:
Of course, if the user can control completely the first argument of the PDFKit constructor, they can also exploit the command injection as long as it starts with "http":