Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-70735

Reduce information disclosure from TCPDF version

    XMLWordPrintable

Details

    • MOODLE_311_STABLE
    • MOODLE_311_STABLE
    • MDL-70735-pdf-metadata-MOODLE_311_STABLE
    • MDL-70735-pdf-metadata
    • Hide

      1) Add the attached test script to your web root and run it in a browser

      http://moodle.local/MDL-70735-pdf-hello-world.php

      2) Save this PDF

      3) Inspect the metadata with any pdf metadata tool such as pdfinfo on linux

       

      $ pdfinfo doc.pdf 
      Producer: TCPDF (http://www.tcpdf.org)
      		 
      CreationDate: Fri Jan 29 12:27:49 2021 AEDT
      		 
      ModDate: Fri Jan 29 12:27:49 2021 AEDT
      		 
      Tagged: no
      		 
      UserProperties: no
      		 
      Suspects: no
      		 
      Form: none
      		 
      JavaScript: no
      		 
      Pages: 1
      		 
      Encrypted: no
      		 
      Page size: 595.276 x 841.89 pts (A4)
      		 
      Page rot: 0
      		 
      File size: 67768 bytes
      		 
      Optimized: no
      		 
      PDF version: 1.7

      4) Confirm that the Producer says 'TCPDF (http://www.tcpdf.org)' 

      Show
      1) Add the attached test script to your web root and run it in a browser http://moodle.local/MDL-70735-pdf-hello-world.php 2) Save this PDF 3) Inspect the metadata with any pdf metadata tool such as pdfinfo on linux   $ pdfinfo doc.pdf Producer: TCPDF (http://www.tcpdf.org) CreationDate: Fri Jan 29 12:27:49 2021 AEDT ModDate: Fri Jan 29 12:27:49 2021 AEDT Tagged: no UserProperties: no Suspects: no Form: none JavaScript: no Pages: 1 Encrypted: no Page size: 595.276 x 841.89 pts (A4) Page rot: 0 File size: 67768 bytes Optimized: no PDF version: 1.7 4) Confirm that the Producer says 'TCPDF ( http://www.tcpdf.org )' 

    Description

      We've had a couple pen tests report information disclosure from the PDF metadata. It is admittedly very low but discloses the version of tcpdf which could be related future known vulnerabilities in that version.

       

      Attachments

        Issue Links

          has been marked as being related by

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-70902 Upgrade TCPDF to 6.4.1 for PHP8 compatibility

          • Major - Major loss of function, incorrect output
          • Closed

          Activity

            People

              brendanheywood Brendan Heywood
              brendanheywood Brendan Heywood
              Nicholas Hoobin Nicholas Hoobin
              Adrian Greeve Adrian Greeve
              Janelle Barcega Janelle Barcega
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                17/May/21

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour, 10 minutes
                  1h 10m