PDFObject
PDFObject copied to clipboard
PDFObject is vulnerable to PDFInjection
Description
The library under examination exhibits a vulnerability as it permits the embedding of potentially malicious PDF files without implementing any sanitization measures. This vulnerability gives rise to a Cross-Site Scripting (XSS) risk when a malicious PDF is rendered. In the worst-case scenario, it could lead to Server-Side-Request-Forgery (SSRF) and Remote Code Execution (RCE) if a malicious PDF is downloaded and opened.
This vulnerability is particularly concerning due to the capability of certain PDFs to embed JavaScript code, which, when executed, poses a significant security threat. Unlike the library in question, HTML <iframe>
tags offer a safer alternative for embedding PDFs. They allow the use of sandbox
attribute in conjunction with a well-configured Content Security Policy (CSP)
and security headers like X-Frame-Option
to mitigate the security risks associated with malicious PDFs, thereby avoiding the vulnerabilities inherent in the library.
<iframe src="payload1.pdf" sandbox></iframe>
Affected Versions
- Sanitization checks appear to be absent from the library since its initial release, which can be inferred to be any version prior to
2.2.12
Vulnerable POC
<!DOCTYPE html>
<html>
<head>
<title>PDF Embed Example</title>
</head>
<body>
<!-- Include PDFObject library -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/pdfobject/2.2.12/pdfobject.min.js"
integrity="sha512-lDL6DD6x4foKuSTkRUKIMQJAoisDeojVPXknggl4fZWMr2/M/hMiKLs6sqUvxP/T2zXdrDMbLJ0/ru8QSZrnoQ=="
crossorigin="anonymous" referrerpolicy="no-referrer"></script>
<!-- Container for embedding PDF -->
<div id="example1"></div>
<!-- Script to embed the PDF in the specified container -->
<script>
// Embed the PDF with PDFObject
PDFObject.embed("payload1.pdf", "#example1");
</script>
</body>
</html>
References
- Payload 1
- https://raw.githubusercontent.com/luigigubello/PayloadsAllThePDFs/main/PDF%20Files/payload1.pdf
- PDFs injections
- https://portswigger.net/research/portable-data-exfiltration
- https://medium.com/@urshilaravindran/pdf-injection-in-simple-words-8c399f92593c