Choose language:
Pratite nas:
back

Directory Traversal vulnerability in the Foxit MobilePDF app

05.02.2018

New vulnerability doscovered by our pen test team member Antonio Zekić. Simple but cool. Another proof that old school stuff is still around. The vulnerability allows unauthorized directory listing as well as reading of arbitrary files as long as the Foxit MobilePDF server can read the file on the affected iOS device.

VULNERABILITY TITLE: Directory Traversal in Foxit MobilePDF


VULNERABILITY TYPE: Directory Traversal
PRODUCT: Foxit MobilePDF for iOS
VULNERABLE VERSION: 6.0.0 and earlier
FIXED VERSION: 6.1
CVE NUMBER: CVE-2017-16814
IMPACT: MEDIUM
PRODUCT URL: https://itunes.apple.com/us/app/foxit-pdf-pdf-reader-editor/id507040546?mt=8
FOUND: 2017-10-13

BY: Antonio Zekić of INFIGO IS d.o.o.

 
VULNERABILITY DESCRIPTION
 
A Directory Traversal issue was discovered in the Foxit MobilePDF app before 6.1 for iOS. This occurs by abusing the URL + escape character during a Wi-Fi transfer, which could be exploited by attackers to bypass intended restrictions on local application files.
The identified directory traversal vulnerability can be exploited by submitting the '../' directory path with URL encoding (i.e. as %2e%2e%2f). The vulnerable Foxit MobilePDF server for iOS will traverse through the submitted directory and show directory listing as well as allow reading of files (as long as the Foxit MobilePDF server can read the file on the affected iOS device). 
 
The screenshots below show exploitation of a vulnerable installation of Foxit MobilePDF server for iOS.
 
1) The screenshot below shows the available interface, where only the default document can be seen:
 
2) By modifying the URL and appending typical directory traversal (%2e%2e%2f), the server will show the directory listing of a directory one level higher in the hierarchy:
 

VULNERABLE VERSIONS

Foxit MobilePDF for iOS 6.0.0 and earlier.
 

SOLUTION

 

WORKAROUND

Disable the ‘File transfering’ feature.