Bypassing Apache Fop PostScript Escaping to Reach GhostScript
6 days ago
- #Apache FOP
- #GhostScript
- #PostScript Injection
- Bug bounty program involving Apache FOP and GhostScript for generating PDFs from user-supplied XML.
- Vulnerability allows escaping PostScript string context to execute arbitrary PostScript commands.
- Exploit involves injecting PostScript commands through XML input, bypassing Apache FOP's escaping mechanism.
- Technique uses non-breaking spaces to prevent Apache FOP from breaking PostScript commands into separate strings.
- Payload includes redefining the backslash character and executing commands to read files, demonstrated by reading a flag from /tmp.
- Target application was on Windows, leveraging CVE-2025-46646 for file system access.
- Apache FOP will not fix the bug; documentation will be updated to clarify security expectations.