PDFPatcher XML External Entity Injection Vulnerability Allowing Arbitrary File Read and SSRF

A vulnerability allowing XML External Entity (XXE) injection has been identified in PDFPatcher versions through 1.1.3.4663. The issue arises in the application's XML bookmark import feature, which utilizes .NET's XmlDocument class without properly disabling external entity resolution. This oversight enables attackers to read arbitrary files from the victim's filesystem, exfiltrate sensitive data via out-of-band HTTP requests, conduct Server-Side Request Forgery (SSRF) attacks against internal network resources, or cause a denial-of-service by exploiting entity expansion.

Impact

Exploitation of this vulnerability could lead to unauthorized information disclosure through arbitrary file reads, unauthorized data exfiltration via out-of-band channels, SSRF attacks targeting internal network resources, and denial-of-service conditions caused by entity expansion.

Reproduction

To reproduce this vulnerability, create a malicious DTD file that defines entities for reading local files and exfiltrating their contents via an HTTP request. Host this DTD file on an HTTP server. Then, create a malicious XML bookmark file that references the hosted DTD file and includes a command to exfiltrate a file (such as 'C:/Windows/win.ini') through the established HTTP server. Import this XML file into PDFPatcher using the application's bookmark import feature. The exfiltrated data will be received by the HTTP server.

Remediation

Users are advised to update to PDFPatcher version 1.1.3.4663 or later, where this vulnerability has been addressed.