-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-037 Product: Prince Vendor: YesLogic Pty. Ltd. Affected Version(s): 10 and below Tested Version(s): 10.7 Vulnerability Type: Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) Risk Level: High Solution Status: Fixed Vendor Notification: 2016-05-01 Solution Date: 2016-06-02 Public Disclosure: 2016-09-22 CVE Reference: Not assigned Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Prince[2] is a software which can be used to convert HTML into PDF files. By failing to validate user input properly, this software is susceptible to XML External Entity Injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Using a crafted SVG image, it is possible to read out arbitrary files in the context of the current user. If Prince is used in the context of a web application, this can lead to remote file disclosure. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Run the following script on a linux shell. The resulting pdf file /tmp/issue.pdf will contain an image with the content of /etc/issue. #!/bin/bash cat << EOF > /tmp/evil.html TEST

Test

EOF prince -o /tmp/issue.pdf /tmp/evil.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade to the latest software version available at [3]. An upcoming release of version 11 will also solve the problem. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-04-21: Vulnerability discovered 2016-05-01: Vulnerability reported to vendor 2016-06-02: Vendor published fixed version 2016-09-22: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] SySS GmbH, SYSS-2016-037 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-037.txt [2] Prince, Homepage http://www.princexml.com/ [3] Prince, Latest software packages http://www.princexml.com/latest/ [4] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Franz G. Jahn of the SySS GmbH. E-Mail: franz.jahn (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc Key ID: 0xD06A14DE Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJX4Al4AAoJENWmFJbQahTeAvoP/1BlSf9YU7edn7Kf+6CYvi7k Z8TR2IPmfsMqSJzo9PRvgixHiKX28NLlnoM/LnE8N07s+/96h/NYD7uUHVywN8WL i5/GZyC9qU1OsirG6JO9070r0LnaXW79pwurB3sU1SC+9Plsr7fhghwRgr5gA9r8 yTmvz8E3OpxUPz3t6CMr9xM4nQuQfqI4GNPnm3W0kd+jRpOEGZ42LoJqRMhcyltv pgxPDeqXlt0vZjuWrkknEVdCQYGq63wcuit9aRrhBna7lh9WnYYlY0lCePx23gPP dc6FybwOH+BweVeGJ70HwOn9aSKr8AbNPYWqIvW5XfSMROyV7l+PWcB42RdQjrM5 6YL3DKmYmFEbnS1mqfU+QXVFxHsEDE920U0p7H6LXk2kVXtauVGWfWS+3CrlHthn jIcAzQvs+7xbgLHHrYmxPDvZCB8NMejzU/2Yj0busC/vfP8C1zE/nm5Je795Hnwz naIgHhV38i2bGBiY90TYxUSwNFiPOFHjcNjC6TG22Q/NRhe8QwA/8dMZ4v0YfJcQ CMRRxN5JUHkvbtgrrKBYklGzFllsAwda8rJETAUaoX/y027Bvn0Xte3ReL9GESLZ ecsz1Qh3ykcQetlLkkhGrRBucZ1ZZQdu78+YHY/w+pOdSbpT/so8chPBfF2uTQGn vu9U90PjkypxJ1KzzY0m =53PM -----END PGP SIGNATURE-----