Choose language:
Pratite nas:

Directory Traversal vulnerability in the Foxit MobilePDF app


New vulnerability doscovered by our pen test team member Antonio Zekić. Simple but cool. Another proof that old school stuff is still around. The vulnerability allows unauthorized directory listing as well as reading of arbitrary files as long as the Foxit MobilePDF server can read the file on the affected iOS device.

VULNERABILITY TITLE: Directory Traversal in Foxit MobilePDF

VULNERABILITY TYPE: Directory Traversal
PRODUCT: Foxit MobilePDF for iOS
VULNERABLE VERSION: 6.0.0 and earlier
CVE NUMBER: CVE-2017-16814
FOUND: 2017-10-13

BY: Antonio Zekić of INFIGO IS d.o.o.

A Directory Traversal issue was discovered in the Foxit MobilePDF app before 6.1 for iOS. This occurs by abusing the URL + escape character during a Wi-Fi transfer, which could be exploited by attackers to bypass intended restrictions on local application files.
The identified directory traversal vulnerability can be exploited by submitting the '../' directory path with URL encoding (i.e. as %2e%2e%2f). The vulnerable Foxit MobilePDF server for iOS will traverse through the submitted directory and show directory listing as well as allow reading of files (as long as the Foxit MobilePDF server can read the file on the affected iOS device). 
The screenshots below show exploitation of a vulnerable installation of Foxit MobilePDF server for iOS.
1) The screenshot below shows the available interface, where only the default document can be seen:
2) By modifying the URL and appending typical directory traversal (%2e%2e%2f), the server will show the directory listing of a directory one level higher in the hierarchy:


Foxit MobilePDF for iOS 6.0.0 and earlier.




Disable the ‘File transfering’ feature.