Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix RCE in _raw() via $index parameter.
$index is passed down from getImageAtIndex($index).
Luckily the only official horde code calling it
is the PDF preview code with a fixed index of 0.
Still code from third party vendors using the Horde framework libs
might expose getImageAtIndex() to the web.
PoC:
----------------
<?php
$options = array('index' => "5'$(ls -al )'");
$max_pages = 10;
// php fun: implicit conversion to integer
if ($options['index'] < $max_pages)
{
// _raw() call in Im.php might look like
// /usr/bin/convert "/tmp/img1URPsC"'[0]' -strip png:"/tmp/img0NgHfI"
echo exec('echo \'[' . $options['index'] . ']\' ');
}
?>
----------------
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Jan Schneider <jan@horde.org>- Loading branch information