dkwakkel

php command injection possible

Recommended Posts

We conducted a security vulnerability of Fusion Charts and the following vulnerability shows up:


 


Line 184 in FCExporter_SVG2ALL.php calls shell_exec() with a command built

from untrusted data. This call can cause the program to execute malicious commands

on behalf of an attacker.

 

Source: 

index.php

151 Read $_POST()

153 $exportRequestStream = $_POST;

Sink: FCExporter_SVG2ALL.php:184 shell_exec()

182 $command = INKSCAPE_PATH . "$bg --without-gui {$tempInputSVGFile} --export- {$ext} $tempOutputFile {$size}";


 

And:  $comandJpg = CONVERT_PATH . " -quality 100 $tempOutputFile $tempOutputJpgFile";       

            $output .= shell_exec($comandJpg);


 

I could imagine If $bg contains something like "& /dosomethingevil"  this can be an issue. I expect escapeshellcmd and escapeshellarg iso shell_exec should be used (see http://stackoverflow.com/a/130323/227061).

Can this be fixed?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now