Severe Security Bug Found in Popular PHP Library for Creating PDF Files (Mar 19, 2019)
An Italian security researcher going by the handle "Polict," discovered that the vulnerability identified by Sam Thomas in summer 2018 that affected the "TCPDF" PHP library has inadvertently been "un-patched." The newly found vulnerability is a variation of the one discovered by Thomas, registered as "CVE-2018-17057," that was reportedly fixed in TCPDC version 6.2.20. The vulnerability was accidentally reintroduced when the TCPDF team attempted to fix the vulnerability reported by Polict. The vulnerability is a PHP serialization issue that could be exploited by threat actors in two ways. First, an actor could find a website that "allow[s] user input to be part of the PDF file generation process, such as when adding names of other details inside invoices." Second, the vulnerability could be exploited on websites that are already affected by Cross-Site Scripting (XSS) attacks "where an attacker can plant malicious code inside the HTML source code that will be fed to the TCPDF library to convert into a PDF."
Recommendation: TCPDF has released version 6.2.22 to address both vulnerabilities mentioned above. This story shows the potential risk that can be posed to organizations who do not have update/patch policies in place to avoid potential malicious activity. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.