Menu

Search for hundreds of thousands of exploits

"dompdf 0.6.0 - 'dompdf.php?read' Arbitrary File Read"

Author

Exploit author

Portcullis

Platform

Exploit platform

php

Release date

Exploit published date

2014-04-24

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Vulnerability title: Arbitrary file read in dompdf
CVE: CVE-2014-2383
Vendor: dompdf
Product: dompdf
Affected version: v0.6.0
Fixed version: v0.6.1 (partial fix)
Reported by: Alejo Murillo Moyas

Details:
An arbitrary file read vulnerability is present on dompdf.php file that
allows remote or local attackers to read local files using a special
crafted argument. This vulnerability requires the configuration flag
DOMPDF_ENABLE_PHP to be enabled (which is disabled by default).

Using PHP protocol and wrappers it is possible to bypass the dompdf's
"chroot" protection (DOMPDF_CHROOT) which prevents dompdf from accessing
system files or other files on the webserver. Please note that the flag
DOMPDF_ENABLE_REMOTE needs to be enabled.

Command line interface:
php dompdf.php
php://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE>

Web interface:
   
http://example/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE>
        

Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/


Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2016-02-03 "Viprinet Multichannel VPN Router 300 - Persistent Cross-Site Scripting" webapps hardware Portcullis
2015-09-25 "X2Engine 4.2 - Cross-Site Request Forgery" webapps php Portcullis
2015-09-25 "X2Engine 4.2 - Arbitrary File Upload" webapps php Portcullis
2015-07-14 "Pimcore CMS Build 3450 - Directory Traversal" webapps xml Portcullis
2015-04-21 "BlueDragon CFChart Servlet 7.1.1.17759 - Arbitrary File Retrieval/Deletion" webapps cfm Portcullis
2014-12-10 "OpenEMR 4.1.2(7) - Multiple SQL Injections" webapps php Portcullis
2014-10-28 "Enalean Tuleap 7.4.99.5 - Remote Command Execution" webapps php Portcullis
2014-10-28 "Enalean Tuleap 7.4.99.5 - Blind SQL Injection" webapps php Portcullis
2014-10-28 "Enalean Tuleap 7.2 - XML External Entity File Disclosure" webapps php Portcullis
2014-10-02 "PHPCompta/NOALYSS 6.7.1 5638 - Remote Command Execution" webapps php Portcullis
2014-10-02 "TestLink 1.9.11 - Multiple SQL Injections" webapps php Portcullis
2014-06-12 "IBM AIX 6.1.8 - 'libodm' Arbitrary File Write" local aix Portcullis
2014-05-14 "Broadcom PIPA C211 - Sensitive Information Disclosure" webapps hardware Portcullis
2014-04-24 "dompdf 0.6.0 - 'dompdf.php?read' Arbitrary File Read" webapps php Portcullis
2014-03-12 "Procentia IntelliPen 1.1.12.1520 - 'data.aspx' Blind SQL Injection" webapps asp Portcullis
2014-03-12 "vTiger CRM 5.4.0/6.0 RC/6.0.0 GA - 'browse.php' Local File Inclusion" webapps php Portcullis
2014-03-10 "ownCloud 4.0.x/4.5.x - 'upload.php?Filename' Remote Code Execution" webapps multiple Portcullis
2014-03-01 "Oracle Demantra 12.2.1 - SQL Injection" webapps windows Portcullis
2014-03-01 "Oracle Demantra 12.2.1 - Persistent Cross-Site Scripting" webapps windows Portcullis
2014-03-01 "Oracle Demantra 12.2.1 - Arbitrary File Disclosure" webapps windows Portcullis
2014-03-01 "Oracle Demantra 12.2.1 - Database Credentials Disclosure" webapps windows Portcullis
2008-05-11 "ScrewTurn Software ScrewTurn Wiki 2.0.x - 'System Log' Page HTML Injection" webapps php Portcullis
2008-05-08 "SAP Internet Transaction Server 6200.1017.50954.0 Bu (WGate) - 'wgate.dll?~service' Cross-Site Scripting" webapps cgi Portcullis
2008-05-08 "SAP Internet Transaction Server 6200.1017.50954.0 - Bu query String JavaScript Splicing Cross-Site Scripting" webapps cgi Portcullis 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected