News

i-net PDFC Security Advisory 2020-APR-06

Berlin, Apr 06, 2020

This advisory announces a security vulnerability in versions 4.3 – 6.2 of i-net PDFC Server that we have found and fixed. In addition to releasing a fixed version of i-net PDFC Server 4.3, 5.2, and 6.2, we also provide patches (in the form of a plugin upgrade) for the vulnerability. This means you are able to fix the issue for your current installation of i-net PDFC Server without needing to fully update to the latest version.

Note: this vulnerability only affects i-net PDFC servers from versions 4.3 to 6.2.

Improper Path Traversal

Severity

We rate the severity level of this vulnerability as critical - it is easy to exploit and provides an attacker with the ability to download any file on the server system that the i-net PDFC process has access to.

Risk Assessment

This vulnerability affects any running instance of i-net PDFC which is accessible by an attacker. It allows an attacker to download any file on the system that the i-net PDFC process has access to, without needing to log in. You can read more about this type of attack (classified as CWE-22) here.

Vulnerability

The vulnerability existed in any i-net PDFC server from version 4.3 to version 6.2. We have fixed this issue for each of the latest of the major versions (4.3, 5.1, and 6.2), and are also providing a simple patch for any affected server. We have registered this vulnerability in the Common Vulnerabilities database as CVE-2020-11431.

Risk Mitigation

We recommend that you replace your help.zip plugin file to fix this vulnerability. Please see the 'fix' section below for instructions how to do this.

If you would like to, alternatively you can also update to the latest minor release of your version of i-net PDFC. Please see the 'fix' section below for instructions how to do this.

If you are not in a position to replace this file or update your server and you judge it necessary, you can apply the following mitigation, which will disable your i-net PDFC Server online Help system and thereby remove the vulnerability:

  • Disable the plugin “Help”
    • To do this, enter your server's “Configuration” module
    • Open the category “Plugins”
    • Open up the folder “System”
    • Deactivate the checkbox next to “Help”
    • Click on Save
    • In the box that opens, click “Restart” to restart your service - or alternatively, restart your i-net PDFC server manually.

Fix

Please choose one of the options below that best suits your situation.

Option 1 (recommended): Update the ''help.zip'' file

A simple replacement of the help.zip plugin file with a patched version will fix this issue immediately.

  1. Download the version of help.zip which fits to your product version. See the table below.
    • (Note: To double-check which version of i-net PDFC you have, simply visit your i-net PDFC server start page and look at the light grey text at the bottom right of the page.)
  2. Stop your i-net PDFC service.
    • Windows: Press Windows+R and type services.msc, then hit enter. In the Services dialog, find “i-net PDFC Server”, right-click, and click on “Stop”.
    • Mac: In your System Preferences, enter the i-net PDFC entry and click the on/off button to turn off the service.
    • Linux: In a terminal, run service pdfc stop
  3. Copy the downloaded help.zip file into your server's “plugins” directory, replacing the old help.zip file.
    • The default location of the plugins directory is:
      • Windows: C:\Program Files\i-net PDFC Server\plugins
      • Mac: /Applications/i-net PDFC Server.app/Contents/Java/plugins
      • Linux: /usr/share/i-net-pdfc/plugins
    • Important: Do not rename this old file, rather remove it entirely and/or replace it.
  4. Restart your i-net PDFC service.
    • Windows: Press Windows+R and type services.msc, then hit enter. In the Services dialog, find i-net PDFC, right-click, and click on “Start”.
    • Mac: In your System Preferences, enter the i-net PDFC entry and click the on/off button to turn on the service.
    • Linux: In a terminal, run service pdfc start
i-net PDFC Version Download Link of Fixed help.zip File MD5 Hash
i-net PDFC 4.3 https://download.inetsoftware.de/security/pdfc/4/help.zip 6fab3ef1ba350452a636303f5ae1f372
i-net PDFC 5.0-5.1 https://download.inetsoftware.de/security/pdfc/5/help.zip 2caa2589f53e4737bbad0b37356854cd
i-net PDFC 6.0-6.2 https://download.inetsoftware.de/security/pdfc/6/help.zip 2f7ac2a4c1932c48b34929b6622775d3

Option 2: Update i-net PDFC Server to the latest version

The latest versions of i-net PDFC contain this fix as well as any other less critical bug fixes and improvements that we have added since the release of your current version. For further information, please see the Release Notes section of our website.

To download the latest release of your i-net PDFC version, see the links in the following table:

What We Are Changing

To protect against such vulnerabilities in the future, our development team has spent much time analyzing why this problem occurred and why it was not caught earlier through tests and code reviews. This has led to multiple changes in our development procedures to raise the bar of our software quality even higher.

We have also added automated tests to our test suite which will automatically check for CWE-22 vulnerabilities throughout our products.

Acknowledgment & Thanks

We'd like to give our sincere thanks to the company Secarma for reporting this issue to us in a confidential, professional, and timely manner.

Secarma have let us know that they are planning on a public disclosure of all details of this vulnerability, including the steps to exploit it, around the end of June 2020 - which we fully support. For this reason, it is absolutely vital to fix your systems by this time.

Questions?

If you have any further questions regarding this vulnerability, you can contact us at security@inetsoftware.de and we will get back to you as soon as possible.

We apologize for this issue. Your trust is deeply important to us, so rest assured that we will continue to make sure such issues are extremely rare and that if they occur, they will always be immediately dealt with and communicated to you without delay.

 

© Copyright 1996 - 2020, i-net software; All Rights Reserved.