PdfDing Shared PDF Access Bypass Vulnerability Allowing Expired or Deleted Content Access

A vulnerability in PdfDing versions prior to 1.7.1 allows users to access shared PDF content through the Serve and Download endpoints, even after the content has expired, reached its maximum views, or been soft-deleted. This issue arises because the function check_shared_access_allowed() only verifies the existence of a session, without checking the shared PDF's status regarding inactivity or deletion. The vulnerability can be exploited by creating a session and accessing the endpoints with shared PDFs that have expired, exceeded their view limit, or been marked for deletion.

Impact

Exploitation of this vulnerability allows for unauthorized access to shared PDF content that should no longer be available, bypassing restrictions related to expiration, view limits, and deletion.

Reproduction

To reproduce this vulnerability, create a shared PDF with a set expiration date, maximum views, or marked as deleted. Then, authorize a session and use the Serve or Download endpoints to access the shared PDF. The access should be denied based on the shared PDF's status, but due to the vulnerability, it will be granted.

Remediation

Users can update to PdfDing version 1.7.1, which includes the necessary checks for shared PDF inactivity and deletion in the access validation function.