Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix RCE in _raw() via $index parameter.
$index is passed down from getImageAtIndex($index).
Luckily the only official horde code calling it
is the PDF preview code with a fixed index of 0.

Still code from third party vendors using the Horde framework libs
might expose getImageAtIndex() to the web.

PoC:

----------------
<?php
$options = array('index' => "5'$(ls -al )'");
$max_pages = 10;

// php fun: implicit conversion to integer
if ($options['index'] < $max_pages)
{
    // _raw() call in Im.php might look like
    //        /usr/bin/convert  "/tmp/img1URPsC"'[0]'  -strip png:"/tmp/img0NgHfI"
    echo exec('echo \'[' . $options['index'] . ']\' ');
}
?>
----------------
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Jan Schneider <jan@horde.org>
  • Loading branch information
thomasjfox authored and yunosh committed Sep 19, 2017
1 parent f7672eb commit eb3afd1
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion framework/Image/lib/Horde/Image/Im.php
Expand Up @@ -198,7 +198,7 @@ private function _raw($convert = false, $options = array())
$tmpin = $this->toFile($this->_data);
$tmpout = Horde_Util::getTempFile('img', false, $this->_tmpdir);
$command = $this->_convert . ' ' . implode(' ', $this->_operations)
. ' "' . $tmpin . '"\'[' . $options['index'] . ']\' '
. ' "' . $tmpin . '"\'[' . (integer)$options['index'] . ']\' '
. implode(' ', $this->_postSrcOperations)
. ' -strip ' . $this->_type . ':"' . $tmpout . '" 2>&1';
$this->_logDebug(sprintf("convert command executed by Horde_Image_im::raw(): %s", $command));
Expand Down

0 comments on commit eb3afd1

Please sign in to comment.