Advisory: Remote Code Execution in TYPO3 Extension ke_dompdf
During a penetration test RedTeam Pentesting discovered a remote code
execution vulnerability in the TYPO3 extension ke_dompdf, which allows
attackers to execute arbitrary PHP commands in the context of the
webserver.
### Details
- Product: ke_dompdf TYPO3 extension
- Affected Versions: 0.0.3\<=
- Fixed Versions: 0.0.5
- Vulnerability Type: Remote Code Execution
- Security Risk: high
- Vendor URL: `http://typo3.org/extensions/repository/view/ke_dompdf`
- Vendor Status: fixed version released
- Advisory URL: `https://www.redteam-pentesting.de/advisories/rt-sa-2014-007`
- Advisory Status: published
- CVE: CVE-2014-6235
- CVE URL: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6235`
### Introduction
"DomPDF library and a small pi1 to show how to use DomPDF to render the
current typo3-page to pdf."
(taken from the extension's description)
### More Details
The TYPO3 extension ke_dompdf contains a version of the dompdf library
including all files originally supplied with it. This includes an
examples page, which contains different examples for HTML-entities
rendered as a PDF. This page also allows users to enter their own HTML
code into a text box to be rendered by the webserver using dompdf.
dompdf also supports rendering of PHP files and the examples page also
accepts PHP code tags, which are then executed and rendered into a PDF
on the server.
Since those files are not protected in the TYPO3 extension directory,
anyone can access this URL and execute arbitrary PHP code on the system.
This behaviour was already fixed in the dompdf library, but the typo3
extension ke_dompdf supplies an old version of the library that still
allows the execution of arbitrary PHP code.
### Proof of Concept
Access examples.php on the vulnerable system:
`http://www.example.com/typo3conf/ext/ke_dompdf/res/dompdf/www/examples.php`
Enter PHP code in the text box on the bottom of the page and click the
submit button, for example:
```
```
The page will return a PDF file containing the output of the PHP code.
### Workaround
Remove the directory "www" containing the examples.php file or at least
the examples.php file from the extensions' directory.
### Fix
Update to version 0.0.5 of the extension.
### Security Risk
high
### Timeline
- 2014-04-21 Vulnerability identified
- 2014-04-30 Customer approved disclosure to vendor
- 2014-05-06 CVE number requested
- 2014-05-10 CVE number assigned
- 2014-05-13 Vendor notified
- 2014-05-20 Vendor works with TYPO3 security team on a fix
- 2014-09-02 Vendor released fixed version ()
- 2014-12-01 Advisory released
### References
The TYPO3 extension ke_dompdf contains an old version of the dompdf
library, which contains an example file that can be used to execute
arbitrary commands. This vulnerability was fixed in dompdf in 2010. The
relevant change can be found in the github repository of dompdf:
TYPO3-EXT-SA-2014-010: Several vulnerabilities in third party extensions:
### RedTeam Pentesting GmbH
RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at
`https://www.redteam-pentesting.de`.