Directory Traversal vulnerability in the Foxit MobilePDF app
New vulnerability discovered by our pen test team member Antonio Zekić. Simple but cool. Another proof that old school stuff is still around. The vulnerability allows unauthorized directory listing as well as reading of arbitrary files as long as the Foxit MobilePDF server can read the file on the affected iOS device.
VULNERABILITY TITLE: Directory Traversal in Foxit MobilePDF
PRODUCT: Foxit MobilePDF for iOS
VULNERABILITY TYPE: Directory Traversal
VULNERABLE VERSION: 6.0.0 and earlier
FIXED VERSION: 6.1
CVE NUMBER: CVE-2017-16814
PRODUCT URL: https://itunes.apple.com/us/app/foxit-pdf-pdf-reader-editor/id507040546?mt=8
BY: Antonio Zekić of INFIGO IS d.o.o.
A Directory Traversal issue was discovered in the Foxit MobilePDF app before 6.1 for iOS. This occurs by abusing the URL + escape character during a Wi-Fi transfer, which could be exploited by attackers to bypass intended restrictions on local application files.
The identified directory traversal vulnerability can be exploited by submitting the '../' directory path with URL encoding (i.e. as %2e%2e%2f). The vulnerable Foxit MobilePDF server for iOS will traverse through the submitted directory and show directory listing as well as allow reading of files (as long as the Foxit MobilePDF server can read the file on the affected iOS device).
Foxit MobilePDF for iOS 6.0.0 and earlier.
Upgrade to the latest version available:https://itunes.apple.com/us/app/foxit-pdf-pdf-readereditor/id507040546?mt=8
Disable the ‘File transferring’ feature.
VENDOR SECURITY BULLETIN URL:https://www.foxitsoftware.com/support/security-bulletins.php