Berlin, Apr 06, 2020
This advisory announces a security vulnerability in versions 4.3 – 6.2 of i-net PDFC Server that we have found and fixed. In addition to releasing a fixed version of i-net PDFC Server 4.3, 5.2, and 6.2, we also provide patches (in the form of a plugin upgrade) for the vulnerability. This means you are able to fix the issue for your current installation of i-net PDFC Server without needing to fully update to the latest version.
Note: this vulnerability only affects i-net PDFC servers from versions 4.3 to 6.2.
We rate the severity level of this vulnerability as critical - it is easy to exploit and provides an attacker with the ability to download any file on the server system that the i-net PDFC process has access to.
This vulnerability affects any running instance of i-net PDFC which is accessible by an attacker. It allows an attacker to download any file on the system that the i-net PDFC process has access to, without needing to log in. You can read more about this type of attack (classified as CWE-22) here.
The vulnerability existed in any i-net PDFC server from version 4.3 to version 6.2. We have fixed this issue for each of the latest of the major versions (4.3, 5.1, and 6.2), and are also providing a simple patch for any affected server. We have registered this vulnerability in the Common Vulnerabilities database as CVE-2020-11431.
We recommend that you replace your
help.zip plugin file to fix this vulnerability. Please see the 'fix' section below for instructions how to do this.
If you would like to, alternatively you can also update to the latest minor release of your version of i-net PDFC. Please see the 'fix' section below for instructions how to do this.
If you are not in a position to replace this file or update your server and you judge it necessary, you can apply the following mitigation, which will disable your i-net PDFC Server online Help system and thereby remove the vulnerability:
Please choose one of the options below that best suits your situation.
A simple replacement of the help.zip plugin file with a patched version will fix this issue immediately.
help.zipwhich fits to your product version. See the table below.
services.msc, then hit enter. In the Services dialog, find “i-net PDFC Server”, right-click, and click on “Stop”.
service pdfc stop
help.zipfile into your server's “plugins” directory, replacing the old
C:\Program Files\i-net PDFC Server\plugins
/Applications/i-net PDFC Server.app/Contents/Java/plugins
services.msc, then hit enter. In the Services dialog, find i-net PDFC, right-click, and click on “Start”.
service pdfc start
|i-net PDFC Version|| Download Link of Fixed ||MD5 Hash|
|i-net PDFC 4.3||https://download.inetsoftware.de/security/pdfc/4/help.zip||
|i-net PDFC 5.0-5.1||https://download.inetsoftware.de/security/pdfc/5/help.zip||
|i-net PDFC 6.0-6.2||https://download.inetsoftware.de/security/pdfc/6/help.zip||
The latest versions of i-net PDFC contain this fix as well as any other less critical bug fixes and improvements that we have added since the release of your current version. For further information, please see the Release Notes section of our website.
To download the latest release of your i-net PDFC version, see the links in the following table:
|i-net PDFC Version||Platform||Download Link of Latest Release|
|i-net PDFC 4.3||Windows||https://download.inetsoftware.de/pdfc-server-4-latest.msi|
|Debian / Ubuntu||https://download.inetsoftware.de/pdfc-server-4-latest.deb|
|i-net PDFC 5.1||Windows||https://download.inetsoftware.de/pdfc-server-5-latest.msi|
|Debian / Ubuntu||https://download.inetsoftware.de/pdfc-server-5-latest.deb|
|i-net PDFC 6.2||Windows||https://download.inetsoftware.de/pdfc-server-latest.msi|
|Debian / Ubuntu||https://download.inetsoftware.de/pdfc-server-latest.deb|
To protect against such vulnerabilities in the future, our development team has spent much time analyzing why this problem occurred and why it was not caught earlier through tests and code reviews. This has led to multiple changes in our development procedures to raise the bar of our software quality even higher.
We have also added automated tests to our test suite which will automatically check for CWE-22 vulnerabilities throughout our products.
We'd like to give our sincere thanks to the company Secarma for reporting this issue to us in a confidential, professional, and timely manner.
Secarma have let us know that they are planning on a public disclosure of all details of this vulnerability, including the steps to exploit it, around the end of June 2020 - which we fully support. For this reason, it is absolutely vital to fix your systems by this time.
If you have any further questions regarding this vulnerability, you can contact us at firstname.lastname@example.org and we will get back to you as soon as possible.
We apologize for this issue. Your trust is deeply important to us, so rest assured that we will continue to make sure such issues are extremely rare and that if they occur, they will always be immediately dealt with and communicated to you without delay.
|i-net Clear Reports - New Major Release 20||Jun 11, 2020|
|i-net PDFC - New Major Release 20||Jun 11, 2020|
|i-net Helpdesk Sicherheitsankündigung 2020 Apr 06||Apr 23, 2020|
|i-net PDFC Security Advisory 2020-APR-06||Apr 06, 2020|
|i-net Clear Reports Security Advisory 2020-APR-06||Apr 06, 2020|
|i-net Clear Reports - New Release 19.2||Oct 22, 2019|
|i-net PDFC - New Release 6.2||Oct 22, 2019|
|i-net PDFC - New Release 6.1||Jun 12, 2019|
|i-net Clear Reports - New Release 19.1||Jun 12, 2019|
|i-net Clear Reports - New Major Release 19.0||Apr 10, 2019|