Printer, email and PDF versions - Highly critical - Remote Code Execution - SA-CONTRIB-2018-063

Project: Printer, email and PDF versions
Version: 7.x-2.x-dev
Date: 2018-October-03
Security risk: *Highly critical* 20∕25
Vulnerability: Remote Code Execution

Description

 
This module provides printer-friendly versions of content, including send by
e-mail and PDF versions.

The module doesn't sufficiently sanitize the arguments passed to the
wkhtmltopdf executable, allowing a remote attacker to execute arbitrary shell
commands. It also doesn't sufficiently sanitize the HTML content passed to
dompdf, allowing a privileged attacker to execute arbitrary PHP code.

This vulnerability is mitigated by the fact that the site must have either
the wkhtmltopdf or dompdf sub-modules enabled and selected as the PDF
generation tool. In the case of the dompdf vulnerability, the attacker must
be able to write content to the site.

Solution

 
Install the latest version:

* If you use the print module for Drupal 7.x, upgrade to print 7.x-2.1

In alternative, disable PDF generation, or replace the PDF generation library
with another of the supported versions.

Also see the Printer, email and PDF project page.

Add new comment