PDFObject icon indicating copy to clipboard operation
PDFObject copied to clipboard

Published 20 hours ago verified publisher icon pipwerks

PDFObject is vulnerable to PDFInjection

Open Virgula0 opened this issue 8 months ago • 3 comments

Description

The library under examination exhibits a vulnerability as it permits the embedding of potentially malicious PDF files without implementing any sanitization measures. This vulnerability gives rise to a Cross-Site Scripting (XSS) risk when a malicious PDF is rendered. In the worst-case scenario, it could lead to Server-Side-Request-Forgery (SSRF) and Remote Code Execution (RCE) if a malicious PDF is downloaded and opened.

This vulnerability is particularly concerning due to the capability of certain PDFs to embed JavaScript code, which, when executed, poses a significant security threat. Unlike the library in question, HTML <iframe> tags offer a safer alternative for embedding PDFs. They allow the use of sandbox attribute in conjunction with a well-configured Content Security Policy (CSP) and security headers like X-Frame-Option to mitigate the security risks associated with malicious PDFs, thereby avoiding the vulnerabilities inherent in the library.

<iframe src="payload1.pdf" sandbox></iframe>

Affected Versions

  • Sanitization checks appear to be absent from the library since its initial release, which can be inferred to be any version prior to 2.2.12

Vulnerable POC

<!DOCTYPE html>
<html>
<head>
    <title>PDF Embed Example</title>
</head>
<body>
    <!-- Include PDFObject library -->
    <script src="https://cdnjs.cloudflare.com/ajax/libs/pdfobject/2.2.12/pdfobject.min.js"
        integrity="sha512-lDL6DD6x4foKuSTkRUKIMQJAoisDeojVPXknggl4fZWMr2/M/hMiKLs6sqUvxP/T2zXdrDMbLJ0/ru8QSZrnoQ=="
        crossorigin="anonymous" referrerpolicy="no-referrer"></script>

    <!-- Container for embedding PDF -->
    <div id="example1"></div>

    <!-- Script to embed the PDF in the specified container -->
    <script>
        // Embed the PDF with PDFObject
        PDFObject.embed("payload1.pdf", "#example1");
    </script>
</body>
</html>

Screenshot from 2023-11-03 16-28-17

References

  • Payload 1
    • https://raw.githubusercontent.com/luigigubello/PayloadsAllThePDFs/main/PDF%20Files/payload1.pdf
  • PDFs injections
    • https://portswigger.net/research/portable-data-exfiltration
    • https://medium.com/@urshilaravindran/pdf-injection-in-simple-words-8c399f92593c

Virgula0 avatar Nov 03 '23 15:11 Virgula0