Page MenuHomePhabricator
Create Task
Maniphest T326907

Command injection in the PdfBook extension (CVE-2023-24612)
Closed, InvalidPublicSecurity
Actions

Description

Hello,

The PdfBook extension is vulnerable to a command injection vulnerability.
Settings of the extension can be retrieved via request parameters and are directly used to build a command executed via shell_exec().

Accessing the following URL on a instance with the PdfBook extension will generate a /tmp/a file with the content of /etc/passwd: https://<mediawiki_instance>/index.php?title=Main_Page&action=pdfbook&format=single&pdfHtmlDocPath=cat%3C/etc/passwd%3E/tmp/a;

I have attached a patch proposal to fix the issue.

0001-Fix-command-injection.patch3 KBDownload

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

tgerbet_enalean created this task.Jan 13 2023, 8:52 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 13 2023, 8:52 AM
sbassett subscribed.Jan 13 2023, 10:20 PM

Thanks for the report, but I'm not sure what the status of this extension is. Per MediaWiki-extensions-PdfBook:

Tasks and bug reports have moved to https://github.com/OrganicDesign/extensions/issues and are not handled in Wikimedia Phabricator anymore!

Of course that github URL 404s. And from the extension's mediawiki page:

This extension is currently not actively maintained! Although it may still work, any bug reports or feature requests will more than likely be ignored.

This looks to be the most canonical and current repo for the extension:

https://gitlab.com/organicdesign/PdfBook/

And so this should likely be filed as a security issue there. Though it looks like there is a bit of a backlog for issues in general:

https://gitlab.com/organicdesign/PdfBook/-/issues

sbassett edited projects, added Vuln-Inject, SecTeam-Processed; removed Security-Team.Jan 13 2023, 10:20 PM
Aklapper added a project: MediaWiki-extensions-PdfBook.Jan 16 2023, 11:05 AM
Aklapper closed this task as Invalid.Jan 16 2023, 11:07 AM
Aklapper removed a subscriber: MediaWiki-extensions-PdfBook.

I'm afraid this needs to be reported at https://gitlab.com/organicdesign/PdfBook/-/issues instead, per https://www.mediawiki.org/wiki/Extension:PdfBook
I'm closing this as invalid, not because the issue is not valid, but because Wikimedia Phabricator is not a place where the extension maintainers will see this issue.

sbassett renamed this task from Command injection in the PdfBook extension to Command injection in the PdfBook extension (CVE-2023-24612).Jan 30 2023, 8:34 PM
sbassett triaged this task as Low priority.
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.

CVE details: https://www.cve.org/CVERecord?id=CVE-2023-24612

Issue: https://gitlab.com/organicdesign/PdfBook/-/merge_requests/6

sbassett mentioned this in T325849: Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3).Jan 30 2023, 8:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits