[SECURITY-L] Fwd: [Security-news] Printer, email and PDF versions - Highly critical - Remote Code Execution - SA-CONTRIB-2018-063

CSIRT Unicamp security em unicamp.br
Qua Out 3 16:20:07 -03 2018 

From: <security-news em drupal.org>
Date: qua, 3 de out de 2018 às 15:38
Subject: [Security-news] Printer, email and PDF versions - Highly critical
- Remote Code Execution - SA-CONTRIB-2018-063
To: <security-news em drupal.org>


View online: https://www.drupal.org/sa-contrib-2018-063

Project: Printer, email and PDF versions [1]
Version: 7.x-2.x-dev
Date: 2018-October-03
Security risk: *Highly critical* 20∕25
AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Remote Code Execution

Description:
This module provides printer-friendly versions of content, including send by
e-mail and PDF versions.

The module doesn't sufficiently sanitize the arguments passed to the
wkhtmltopdf executable, allowing a remote attacker to execute arbitrary
shell
commands. It also doesn't sufficiently sanitize the HTML content passed to
dompdf, allowing a privileged attacker to execute arbitrary PHP code.

This vulnerability is mitigated by the fact that the site must have either
the wkhtmltopdf or dompdf sub-modules enabled and selected as the PDF
generation tool. In the case of the dompdf vulnerability, the attacker must
be able to write content to the site.

Solution:
Install the latest version:

   * If you use the print module for Drupal 7.x, upgrade to print 7.x-2.1
[3]

In alternative, disable PDF generation, or replace the PDF generation
library
with another of the supported versions.

Also see the Printer, email and PDF versions [4] project page.

Reported By:
   * yoloClin  [5]


Fixed By:
   * Lee Rowlands  [6] of the Drupal Security Team
   * João Ventura  [7]
   * yoloClin  [8]


Coordinated By:
   * Lee Rowlands  [9] of the Drupal Security Team
   * Michael Hess  [10] of the Drupal Security Team



[1] https://www.drupal.org/project/print
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/print/releases/7.x-2.1
[4] https://www.drupal.org/project/print
[5] https://www.drupal.org/user/3585171
[6] https://www.drupal.org/user/395439
[7] https://www.drupal.org/user/122464
[8] https://www.drupal.org/user/3585171
[9] https://www.drupal.org/user/395439
[10] https://www.drupal.org/u/mlhess

_______________________________________________
Security-news mailing list
Security-news em drupal.org
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20181003/d931db2b/attachment.html>

Mais detalhes sobre a lista de discussão SECURITY-L