Outdated version of mPDF library contained serious security bug

A vulnerability in furniture chain Ikea’s website allowed a researcher to manipulate a PDF file for local file inclusion.

The flaw was found in an interactive feature within the site, bathroomplanner.ikea.com, which allows customers to plan which products they want and either email a product list or download it as a PDF.

It was this PDF file that Jonathan Bouman discovered could be exploited, netting the researcher €250 ($293) through Ikea’s bug bounty program and preventing malicious hackers from replicating the technique.

Bouman detailed in a blog post how he was able to carry out the attack on the mPDF generation process in Ikea’s website.

He noted that older versions of mPDF contain a serious security bug which can allow code to be injected using annotation tags – a hidden text box which will pop up when the user runs their cursor over it.

To exploit this flaw, Bouman used Burp Suite to add his own code to the template – <annotation file=\”/etc/passwd\” content=\”/etc/passwd\” icon=\”Graph\” title=\”Attached File: /etc/passwd\” pos-x=\”195\” /> – and downloaded the resulting PDF file.

This PDF contained the /etc/passwd file.

He also advised other companies on how to avoid becoming victim to this flaw.

“Never allow the users to manipulate the template of a PDF,” Bouman wrote. “Render the PDF containing the shopping list on the client-side, for example with jsPDF.”

In addition, Bouman advised developers to update to the latest version of the mPDF library and disable the annotation code.