An ethical hacker from the International Institute of Cyber Security reports the discovery of critical security vulnerability in TCPDF, one of the most used PHP libraries to generate PDF files.
According to the ethical hacker, the
vulnerability could be exploited by malicious users to perform a remote code
execution on web pages and applications that use this library; then attackers
could execute malicious code and take control over the compromised systems.
This vulnerability could be said to be a
variant of a previous discovery. The original vulnerability was found by the
ethical hacker Sam Thomas, who designed an experiment able to demonstrate a
deserialization vulnerability that impacted PHP applications about a year ago.
According to reports, the new vulnerability
variant can be exploited in two ways:
- When
websites allow user information to be part of the PDF file generation process - When
websites have XSS vulnerabilities, where an attacker is able to inject malicious code into the HTML
source code that will be sent to the TCPDF library to be converted to PDF
The attack process is truly complex and requires
advanced coding knowledge to exploit the vulnerability. According to experts, a
deserialization exploit is very difficult to find and can bring catastrophic
consequences for programming languages like Ruby, Java and PHP.
TCPDF developers were informed about the
vulnerability (tracked as CVE-2018-17057)
since August last year. A month later, TCPDF 6.2.20 was launched to correct the
reported errors. However, it is recommended that users update to the 6.2.22
version, because the fixes were disabled when they tried to fix diferent
vulnerability.
TCPDF is one of the most popular PHP libraries
nowadays, being used by multiple independent website operators, content management
systems, intranets, web applications related to PDF files, among other uses.
This is a new sign that vulnerability patching
is not a simple task; in some cases it may be necessary to rewrite large
strings of code, not just some fragments.
