PDFPatcher Directory Traversal Vulnerability Allowing Arbitrary File Uploads

A directory traversal vulnerability has been identified in PDFPatcher versions prior to 1.1.3.4663. The issue arises in the image export functionality, where the application fails to properly validate user-supplied file paths. This oversight allows attackers to craft file paths that include directory traversal sequences, bypassing directory restrictions and enabling the upload of files to arbitrary locations on the filesystem. Such exploitation could lead to privilege escalation, data tampering, or system compromise.

Impact

Exploitation of this vulnerability allows for arbitrary file writes to any accessible location on the filesystem. This could be used to overwrite critical system files, potentially leading to privilege escalation or other forms of system compromise. Additionally, the vulnerability could be exploited to tamper with data or disrupt system integrity. In some cases, according to the vulnerability researcher, this could lead to remote code execution, especially when combined with other vulnerabilities.

Reproduction

To reproduce this vulnerability, launch PDFPatcher and navigate to the image export feature. Select a PDF file with images and specify an output location that includes directory traversal sequences, such as relative paths that traverse up the directory structure. Once the export is initiated, the exported images will be written to the specified location, bypassing any intended directory restrictions. This can be verified by checking the traversed directory for the exported files.

Remediation

Users are advised to update to PDFPatcher version 1.1.3.4663 or later, where this vulnerability has been addressed.