Severe Security Bug In PHP Library Used in PDF Files
Secarma researcher, Sam Thomas, was the first to identify the severe security flaw impacting TCPDF, which is one of the “big three” PHP libraries. TCPDF is a free and open source software hypertext preprocessor (FOSS-PHP) that allows a user to create PDF files. “Polict” recently discovered a variant of this vulnerability, which can be exploited either on websites that allow the user to generate the PDF or on websites that contain cross-site scripting (XSS) weaknesses. Malicious code could then be planted in data that is fed to the TCPDF library used in creating the PDF. TCPDF is used in a multitude of locations including content management systems (CMS), plugins, CMS themes, enterprise intranets, and invoicing solutions. The NJCCIC recommends patching systems as updates become available. More technical details on TCPDF can be found in Polict’s blog post and ZDNet’s blog post.