Severe security bug found in popular PHP library for creating PDF files

Vulnerability patched last year, but many websites and web apps will most likely remain vulnerable for years.


A security researcher has found a severe security flaw in one of the internet's most popular PHP libraries for creating PDF files.

The vulnerability impacts TCPDF, one of the "big three" PHP libraries --together with mPDF and FPDF-- for converting HTML code to PDF docs or assembling PDF files on the fly.

The security flaw can be exploited by an attacker to achieve "remote code execution" on websites and web apps that use the TCPDF library, allowing a threat actor to run malicious code and potentially take over these systems.

The vulnerability, per-se, is actually a variation of another researcher's discovery.

The initial flaw was found by Secarma researcher Sam Thomas who in a series of experiments showcased a new deserialization bug affecting PHP apps over the summer of 2018. He released a research paper detailing PHP serialization attacks against the WordPress and Typo3 CMS platforms, but also the TCPDF library embedded inside the Contao CMS.

How the new TCPDF attack works

In a blog post published over the weekend, an Italian security researcher who goes online as Polict revealed a new PHP serialization flaw impacting TCPDF in the same way as the one discovered by Thomas last year.

Polict says the vulnerability he found can be exploited in two ways. The first case is on websites that allow user input to be part of the PDF file generation process, such as when adding names or other details inside invoices.

The second is on websites that contain cross-site scripting (XSS) vulnerabilities where an attacker can plant malicious code inside the HTML source code that will be fed to the TCPDF library to convert into a PDF.

The trick is to supply malformed data to the TCPDF library. This data is modified in such a way to force the TCPDF library to call the PHP server's "phar://" stream wrapper, and later abuse the PHP deserialization process to run code on the underlying server.

It's a very complex attack routine, and it requires advanced PHP coding knowledge to exploit. Deserialization exploits, in general, are hard to uncover and they're the bane of many programming languages, including Ruby, Java, and .NET --besides PHP.

Flaw fixed in v6.2.20... erm... v6.2.22

The researcher says he reported the vulnerability (CVE-2018-17057) to the TCPDF library author last August. The TCPDF team released TCPDF 6.2.20 in September to address the issue.

However, users should update to at least version 6.2.22 because the TCPDF team accidentally re-introduced the vulnerability reported by Sam Thomas while attempting to patch the one reported by Polict. Both issues were deemed resolved in version 6.2.22.

The Italian security researcher published details about this vulnerability only today, six months after the patch, because of the bug's severity and to allow website and web app owners enough time to patch.

The TCPDF library is one of today's most popular PHP libraries and has been used all over the place --in standalone websites, in content management systems (CMSs), CMS plugins, CMS themes, enterprise intranets, CRMs, HRMs, invoicing solutions, many PDF-centered web apps, and others.

Patching isn't as easy as it sounds. In some cases, this might mean replacing a file and editing a build instruction, but in other places, this might require rewriting large swaths of code.

Related security coverage: