|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --[ Product
TCPDF is an Open Source PHP class for generating PDF documents.
TCPDF project was started in 2002 and now it is freely used all
over the world by millions of people. TCPDF is a Free Libre Open
Source Software (FLOSS). -- http://www.tcpdf.org/
- --[ Vulnerability
Under certain circumstances, an intruder may be able to take
advantage of this flaw to execute arbitrary code with the
privileges of the web server.
To exploit this issue the application that is using TCPDF must be
vulnerable to cross-site scripting inside their pdf generating
code.
The problem is caused by the TCPDF callback element that could be
injected into HTML code. The parsing of the callback element is
using the 'params' attribute inside an eval() statement without any
sanitation.
- --[ Affected Code
tcpdf.php:15421:
case 'tcpdf': {
// NOT HTML: used to call TCPDF methods
if (isset($tag['attribute']['method'])) {
$tcpdf_method = $tag['attribute']['method'];
if (method_exists($this, $tcpdf_method)) {
if (isset($tag['attribute']['params']) AND
(!empty($tag['attribute']['params']))) {
eval('$params = array('.$this->unhtmlentities(
$tag['attribute']['params']).');');
call_user_func_array(array($this, $tcpdf_method),
$params);
} else {
$this->$tcpdf_method();
}
$this->newline = true;
}
}
}
- --[ Proof of Concept
The injection of the following TCPDF callback element into HTML
code (that is processed by TCPDF) will exploit the issue: