View online: https://www.drupal.org/sa-contrib-2018-063

Project: Printer, email and PDF versions [1] Version: 7.x-2.x-dev Date: 2018-October-03 Security risk: *Highly critical* 20∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Remote Code Execution

Description:  This module provides printer-friendly versions of content, including send by e-mail and PDF versions.

The module doesn't sufficiently sanitize the arguments passed to the wkhtmltopdf executable, allowing a remote attacker to execute arbitrary shell commands. It also doesn't sufficiently sanitize the HTML content passed to dompdf, allowing a privileged attacker to execute arbitrary PHP code.

This vulnerability is mitigated by the fact that the site must have either the wkhtmltopdf or dompdf sub-modules enabled and selected as the PDF generation tool. In the case of the dompdf vulnerability, the attacker must be able to write content to the site.

Solution:  Install the latest version:

* If you use the print module for Drupal 7.x, upgrade to print 7.x-2.1 [3]

In alternative, disable PDF generation, or replace the PDF generation library with another of the supported versions.

Also see the Printer, email and PDF versions [4] project page.

Reported By:  * yoloClin [5]

Fixed By:  * Lee Rowlands [6] of the Drupal Security Team * João Ventura [7] * yoloClin [8]

Coordinated By:  * Lee Rowlands [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team

[1] https://www.drupal.org/project/print [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/print/releases/7.x-2.1 [4] https://www.drupal.org/project/print [5] https://www.drupal.org/user/3585171 [6] https://www.drupal.org/user/395439 [7] https://www.drupal.org/user/122464 [8] https://www.drupal.org/user/3585171 [9] https://www.drupal.org/user/395439 [10] https://www.drupal.org/u/mlhess