PDFObject is vulnerable to PDFInjection

[Virgula0]

Description

The library under examination exhibits a vulnerability as it permits the embedding of potentially malicious PDF files without implementing any sanitization measures. This vulnerability gives rise to a Cross-Site Scripting (XSS) risk when a malicious PDF is rendered. In the worst-case scenario, it could lead to Server-Side-Request-Forgery (SSRF) and Remote Code Execution (RCE) if a malicious PDF is downloaded and opened.

This vulnerability is particularly concerning due to the capability of certain PDFs to embed JavaScript code, which, when executed, poses a significant security threat. Unlike the library in question, HTML <iframe> tags offer a safer alternative for embedding PDFs. They allow the use of sandbox attribute in conjunction with a well-configured Content Security Policy (CSP) and security headers like X-Frame-Option to mitigate the security risks associated with malicious PDFs, thereby avoiding the vulnerabilities inherent in the library.

<iframe src="payload1.pdf" sandbox></iframe>

Affected Versions

• Sanitization checks appear to be absent from the library since its initial release, which can be inferred to be any version prior to 2.2.12

Vulnerable POC

<!DOCTYPE html>
<html>
<head>
    <title>PDF Embed Example</title>
</head>
<body>
    <!-- Include PDFObject library -->
    <script src="https://cdnjs.cloudflare.com/ajax/libs/pdfobject/2.2.12/pdfobject.min.js"
        integrity="sha512-lDL6DD6x4foKuSTkRUKIMQJAoisDeojVPXknggl4fZWMr2/M/hMiKLs6sqUvxP/T2zXdrDMbLJ0/ru8QSZrnoQ=="
        crossorigin="anonymous" referrerpolicy="no-referrer"></script>

    <!-- Container for embedding PDF -->
    <div id="example1"></div>

    <!-- Script to embed the PDF in the specified container -->
    <script>
        // Embed the PDF with PDFObject
        PDFObject.embed("payload1.pdf", "#example1");
    </script>
</body>
</html>

References

• Payload 1
  • https://raw.githubusercontent.com/luigigubello/PayloadsAllThePDFs/main/PDF%20Files/payload1.pdf
• PDFs injections
  • https://portswigger.net/research/portable-data-exfiltration
  • https://medium.com/@urshilaravindran/pdf-injection-in-simple-words-8c399f92593c

[pipwerks]

Thanks for reporting. The latest dev branch has already been modified to only use iframe (no object), I will look into adding the sandbox attribute.

[Virgula0]

Please note that sanitization, for the purpose of the library, should occur at a lower level when a file is read. The Sandbox attribute can help but is not the final solution to achieve sanitization. Unfortunately, I have to warn you that this task can be quite challenging to achieve due to the fact that there are no external libraries that seem to support the PDF sanitization process.

[theodore-s-beers]

look into adding the sandbox attribute

In Chromium, at least, the PDF viewer is disabled completely in a sandboxed iframe. There is no workaround, nor afaik are there any plans to change this.

[pipwerks]

I've decided against adding sandbox for now, due to potential for breaking sites that use PDFObject. If a user wants to sandbox the iframe, the option is available via PDFObject's customAttribute option.

Thanks