HRConvert2 Command Injection Vulnerability Allowing Remote Code Execution

A critical command injection vulnerability has been identified in HRConvert2 versions prior to 3.3.8. The issue arises in the sanitizeString() function within convertCore.php, where backtick and tab characters are not properly sanitized. This oversight allows user input to be executed as commands via shell_exec(), with potential execution of arbitrary commands or dropping files into accessible locations on the server.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, executed in the context of the user running the web server, such as www-data. This could lead to a complete takeover of the server by a remote attacker.

Reproduction

The vulnerability can be reproduced by uploading a PNG file with a name that includes a backtick, such as 'x`id`.png', and then requesting a conversion to JPG. The backtick will be interpreted by the shell, allowing commands to be executed. Alternatively, a file can be uploaded with a name that includes a tab character, which will be interpreted as a command extension and can be used to drop a PHP web shell onto the server.

Remediation

Users are advised to update HRConvert2 to version 3.3.8 or later. The latest version can be downloaded from the HRConvert2 GitHub releases page.