tripexpress icon indicating copy to clipboard operation
tripexpress copied to clipboard

Published 20 hours ago verified publisher icon toocool

Possible path manipulation vulnerability

Open enferas opened this issue 3 years ago • 1 comments

Hello,

I would like to report for path manipulation vulnerability.

The path of the vulnerability.

In file system/helpers/dompdf/load_font.php

// line 171 
call_user_func_array("install_font_family", array_slice($_SERVER["argv"], 1));

line 66

function install_font_family($fontname, $normal, $bold = null, $italic = null, $bold_italic = null) {
  // ...

  $fonts = compact("normal", "bold", "italic", "bold_italic");
  // ...

  // Copy the files to the font directory.
  foreach ($fonts as $var => $src) {
    // ...

    if ( !copy($src, $dest) )
      //...
  }

The variable src is coming from $_SERVER["argv"]. Then there is path manipulation vulnerability.

enferas avatar Nov 13 '21 17:11 enferas

CVE-2021-43691 is assigned to the discovery.

An unspecified version of tripexpress is affected by a path manipulation vulnerability in file system/helpers/dompdf/load_font.php. The variable src is coming from $_SERVER["argv"] then there is a path manipulation vulnerability.

enferas avatar Dec 02 '21 19:12 enferas