Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

TCPDF Remote Command Execution

🗓️ 09 Apr 2010 00:00:00Reported by apocType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 18 Views

TCPDF Remote Command Execution, Cross-Site Scripting Vulnerabilit

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
- --[ Product  
  
TCPDF is an Open Source PHP class for generating PDF documents.  
TCPDF project was started in 2002 and now it is freely used all  
over the world by millions of people. TCPDF is a Free Libre Open  
Source Software (FLOSS). -- http://www.tcpdf.org/  
  
- --[ Vulnerability  
  
Under certain circumstances, an intruder may be able to take  
advantage of this flaw to execute arbitrary code with the  
privileges of the web server.  
  
To exploit this issue the application that is using TCPDF must be  
vulnerable to cross-site scripting inside their pdf generating  
code.  
  
The problem is caused by the TCPDF callback element that could be  
injected into HTML code. The parsing of the callback element is  
using the 'params' attribute inside an eval() statement without any  
sanitation.  
  
- --[ Affected Code  
  
tcpdf.php:15421:  
case 'tcpdf': {  
// NOT HTML: used to call TCPDF methods  
if (isset($tag['attribute']['method'])) {  
$tcpdf_method = $tag['attribute']['method'];  
if (method_exists($this, $tcpdf_method)) {  
if (isset($tag['attribute']['params']) AND  
(!empty($tag['attribute']['params']))) {  
  
eval('$params = array('.$this->unhtmlentities(  
$tag['attribute']['params']).');');  
  
call_user_func_array(array($this, $tcpdf_method),  
$params);  
} else {  
$this->$tcpdf_method();  
}  
$this->newline = true;  
}  
}  
}  
  
- --[ Proof of Concept  
  
The injection of the following TCPDF callback element into HTML  
code (that is processed by TCPDF) will exploit the issue:  
  
<tcpdf method="Rect" params=");echo `id`;die(" />  
  
- --[ Affected Versions  
  
TCPDF versions from 4.5.036 (2009-04-03) to 4.9.005 (2010-04-01)  
are vulnerable to this issue, version 4.9.006 (2010-04-02) fixes  
the problem.  
  
The new version introduced a configuration constant to disable the  
TCPDF callback element: K_TCPDF_CALLS_IN_HTML (default: true)  
  
- --[ Timeline  
  
2010-04-02 -- Vendor notified  
2010-04-02 -- Vendor reaction and security fix  
2010-04-08 -- Public disclosure (with vendor permissions)  
  
- --  
(a) (p)roof (o)f (c)oncept ..  
http://apoc.sixserv.org/  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.10 (GNU/Linux)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/  
  
iEYEARECAAYFAku9ZUoACgkQWlhozqFVuMtAFACfSRQzl9Z6b9tMerJRbQ0qXyW4  
aD8An0o+79nWFtxA29x4XbUARZkg2rr7  
=9coC  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Apr 2010 00:00Current
7.4High risk
Vulners AI Score7.4
tcpdfphppdfcross-site scriptingvulnerabilityremote executionopen source softwaresecurity fixpublic disclosure
18