webmaster, seo adn smo

Print - Local file read access

dev1961's picture

* Advisory ID: DRUPAL-SA-CONTRIB-2010-082
* Project: Printer, e-mail and PDF versions (third-party module)
* Version: 5.x, 6.x
* Date: 2010-August-11
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Local file read access

-------- DESCRIPTION
---------------------------------------------------------

The Printer, e-mail and PDF versions ("print") module provides
printer-friendly versions of content, including a PDF version that is
generated by one of three supported generation tools (dompdf, TCPDF and
wkhtmltopdf). When using the wkhtmltopdf PDF generation tool, that tool is
able to access local files in the Drupal server environment. Users with the
ability to create unfiltered HTML in the node content could trick the tool to
access any file accessible by the Web server user and to display its contents
inside the generated PDF. Sites should not grant the ability to post
unfiltered HTML to untrusted roles.
-------- VERSIONS AFFECTED
---------------------------------------------------

* Printer, e-mail and PDF versions 6.x prior to 6.x-1.11
* Printer, e-mail and PDF versions 5.x prior to 5.x-4.10

Drupal core is not affected. If you do not use the contributed Printer,
e-mail and PDF versions module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version:
* If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to
Printer, e-mail and PDF versions 6.x-1.11 [1]
* If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to
Printer, e-mail and PDF versions 5.x-4.10 [2]

If you use the wkhtmltopdf PDF generation tool, and it's version is older
than 0.9.6, please upgrade [3] to a more recent version, as the module now
supports only versions 0.9.6 or higher. See also the Printer, e-mail and PDF
versions project page [4].
-------- REPORTED BY
---------------------------------------------------------

* Douglas Bagnall [5]

-------- FIXED BY
------------------------------------------------------------

* João Ventura [6], module maintainer
* James Gilliland [7], module maintainer