-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2016-037
Product: Prince
Vendor: YesLogic Pty. Ltd.
Affected Version(s): 10 and below
Tested Version(s): 10.7
Vulnerability Type: Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)
Risk Level: High
Solution Status: Fixed
Vendor Notification: 2016-05-01
Solution Date: 2016-06-02
Public Disclosure: 2016-09-22
CVE Reference: Not assigned
Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Prince[2] is a software which can be used to convert HTML into PDF
files. By failing to validate user input properly, this software is
susceptible to XML External Entity Injection.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
Using a crafted SVG image, it is possible to read out arbitrary files in
the context of the current user. If Prince is used in the context of a
web application, this can lead to remote file disclosure.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
Run the following script on a linux shell. The resulting pdf file
/tmp/issue.pdf will contain an image with the content of /etc/issue.
#!/bin/bash
cat << EOF > /tmp/evil.html
TEST
Test
EOF
prince -o /tmp/issue.pdf /tmp/evil.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Upgrade to the latest software version available at [3].
An upcoming release of version 11 will also solve the problem.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2016-04-21: Vulnerability discovered
2016-05-01: Vulnerability reported to vendor
2016-06-02: Vendor published fixed version
2016-09-22: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] SySS GmbH, SYSS-2016-037
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-037.txt
[2] Prince, Homepage
http://www.princexml.com/
[3] Prince, Latest software packages
http://www.princexml.com/latest/
[4] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
Security vulnerability found by Franz G. Jahn of the SySS GmbH.
E-Mail: franz.jahn (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc
Key ID: 0xD06A14DE
Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJX4Al4AAoJENWmFJbQahTeAvoP/1BlSf9YU7edn7Kf+6CYvi7k
Z8TR2IPmfsMqSJzo9PRvgixHiKX28NLlnoM/LnE8N07s+/96h/NYD7uUHVywN8WL
i5/GZyC9qU1OsirG6JO9070r0LnaXW79pwurB3sU1SC+9Plsr7fhghwRgr5gA9r8
yTmvz8E3OpxUPz3t6CMr9xM4nQuQfqI4GNPnm3W0kd+jRpOEGZ42LoJqRMhcyltv
pgxPDeqXlt0vZjuWrkknEVdCQYGq63wcuit9aRrhBna7lh9WnYYlY0lCePx23gPP
dc6FybwOH+BweVeGJ70HwOn9aSKr8AbNPYWqIvW5XfSMROyV7l+PWcB42RdQjrM5
6YL3DKmYmFEbnS1mqfU+QXVFxHsEDE920U0p7H6LXk2kVXtauVGWfWS+3CrlHthn
jIcAzQvs+7xbgLHHrYmxPDvZCB8NMejzU/2Yj0busC/vfP8C1zE/nm5Je795Hnwz
naIgHhV38i2bGBiY90TYxUSwNFiPOFHjcNjC6TG22Q/NRhe8QwA/8dMZ4v0YfJcQ
CMRRxN5JUHkvbtgrrKBYklGzFllsAwda8rJETAUaoX/y027Bvn0Xte3ReL9GESLZ
ecsz1Qh3ykcQetlLkkhGrRBucZ1ZZQdu78+YHY/w+pOdSbpT/so8chPBfF2uTQGn
vu9U90PjkypxJ1KzzY0m
=53PM
-----END PGP SIGNATURE-----