Description
Directory traversal vulnerability in html2ps before 1.0b6 allows remote attackers to read arbitrary files via a .. (dot dot) in the "include file" SSI directive. NOTE: this issue only might be a vulnerability in limited scenarios, such as if html2ps is invoked by a web application, or if a user-assisted attacker provides filenames whose contents could cause a denial of service, such as certain devices.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by epiphant · pythonwebappsmultiple
https://www.exploit-db.com/exploits/10012
References (8)
Core 8
Core References
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2012:161
Issue Tracking x_refsource_misc
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548633
Exploit x_refsource_misc
http://packetstormsecurity.org/files/81614/html2ps-1.0-beta5-File-Disclosure.html
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/10/05/5
Issue Tracking x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=526513
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/10/05/1
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/36524
Patch x_refsource_confirm
http://user.it.uu.se/~jan/html2ps-1.0b7.tar.gz
Scores
EPSS
0.2103
EPSS Percentile
95.7%
Details
CWE
CWE-22
Status
published
Products (2)
html2ps_project/html2ps
1.0 b1 (4 CPE variants)
html2ps_project/html2ps
< 1.0
Published
Oct 10, 2012
Tracked Since
Feb 18, 2026