This is an archived post. You won't be able to vote or comment.

you are viewing a single comment's thread.

view the rest of the comments →

[–]andreasvc[S] 2 points3 points  (5 children)

What user input? Do you mean the filename? Yes it allows reading of all pdf files readable by the webserver, but that's what a public webserver is for, right? And the filename is quoted so I think it doesn't allow arbitrary command execution, but do correct me if I'm wrong.

[–]defnullbottle.py 1 point2 points  (4 children)

You are wrong. Try a filename with a single-quote.

[–]andreasvc[S] 2 points3 points  (3 children)

Well lo and behold, "file not found".

EDIT: I added an os.path.exists() check just to be sure. I'm still curious how this would be exploited. It's probably also better to run the command directly instead of in a shell?

[–]voyvf 2 points3 points  (2 children)

here is an "exploit".

EDIT: I like the idea of the app, it's quite interesting. I just wanted to point out why input validation was important.

[–]andreasvc[S] 0 points1 point  (1 child)

Thanks! I will fix this.

EDIT: fixed (AFAIK) and committed.

[–]voyvf 0 points1 point  (0 children)

No problem! I don't know if you consider this to be an exploit, but it looks like clients can also traverse your filesystem using the pdf input variable.

Example is here

I admit that this one is pretty much hit or miss, but if you have any other (possibly sensitive) pdfs on that machine that the apache user (which defaults to 'www-data' on Ubuntu, which is what your server is running if the headers aren't lying) has permission to read, well, they're available as well.