FlexPaper <= 2.3.6 Remote Command Execution

From: Red Timmy Sec - <redazione@segfault.it>
To: bugtraq@securityfocus.com
Subject: FlexPaper <= 2.3.6 Remote Command Execution

FlexPaper (https://www.flowpaper.com) is an open source project, released under GPL license, quite widespread over the internet. It provides document viewing functionalities to web clients, mobile and tablet devices. At least until 2014 the component has been actively used by WikiLeaks, when it was discovered to be affected by a XSS vulnerability subsequently patched.

Around one year ago Red Timmy Sec discovered a Remote Command Execution vulnerability on FlexPaper. The vendor was immediately contacted and a CVE registered (2018-11686). However the vulnerability itself has remained undisclosed until now, regardless the fact that a patch has been issued with the release 2.3.7 of the project.

Full analysis of this vulnerability can be found here: https://redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution/

Copyright © 1995-2019 LinuxRocket.net. All rights reserved.