Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-70735

Reduce information disclosure from TCPDF version

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      1) Add the attached test script to your web root and run it in a browser

      http://moodle.local/MDL-70735-pdf-hello-world.php

      2) Save this PDF

      3) Inspect the metadata with any pdf metadata tool such as pdfinfo on linux

       

      $ pdfinfo doc.pdf 
      Producer: TCPDF (http://www.tcpdf.org)
      CreationDate: Fri Jan 29 12:27:49 2021 AEDT
      ModDate: Fri Jan 29 12:27:49 2021 AEDT
      Tagged: no
      UserProperties: no
      Suspects: no
      Form: none
      JavaScript: no
      Pages: 1
      Encrypted: no
      Page size: 595.276 x 841.89 pts (A4)
      Page rot: 0
      File size: 67768 bytes
      Optimized: no
      PDF version: 1.7

      4) Confirm that the Producer says 'TCPDF (http://www.tcpdf.org)' 

      Show
      1) Add the attached test script to your web root and run it in a browser http://moodle.local/MDL-70735-pdf-hello-world.php 2) Save this PDF 3) Inspect the metadata with any pdf metadata tool such as pdfinfo on linux   $ pdfinfo doc.pdf Producer: TCPDF (http://www.tcpdf.org) CreationDate: Fri Jan 29 12:27:49 2021 AEDT ModDate: Fri Jan 29 12:27:49 2021 AEDT Tagged: no UserProperties: no Suspects: no Form: none JavaScript: no Pages: 1 Encrypted: no Page size: 595.276 x 841.89 pts (A4) Page rot: 0 File size: 67768 bytes Optimized: no PDF version: 1.7 4) Confirm that the Producer says 'TCPDF ( http://www.tcpdf.org )' 
    • Affected Branches:
      MOODLE_311_STABLE
    • Fixed Branches:
      MOODLE_311_STABLE
    • Pull 3.11 Branch:
      MDL-70735-pdf-metadata-MOODLE_311_STABLE
    • Pull Master Branch:
      MDL-70735-pdf-metadata

      Description

      We've had a couple pen tests report information disclosure from the PDF metadata. It is admittedly very low but discloses the version of tcpdf which could be related future known vulnerabilities in that version.

       

        Attachments

          Activity

            People

            Assignee:
            brendanheywood Brendan Heywood
            Reporter:
            brendanheywood Brendan Heywood
            Peer reviewer:
            Nicholas Hoobin
            Integrator:
            Adrian Greeve
            Tester:
            Janelle Barcega
            Participants:
            Component watchers:
            Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              10/May/21

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 10 minutes
                1h 10m