TCPDF arbitrary file read
Description
TCPDF is a widely-used PHP library for generating PDF documents. Versions prior to 6.2.0 contain a file disclosure vulnerability in the addTTFFont() method, which is designed to convert and add TrueType or Type1 fonts to the fonts directory. An attacker can exploit this method to read arbitrary files from the server's filesystem and exfiltrate their contents, bypassing normal access controls.
Remediation
Upgrade TCPDF to version 6.2.0 or later, which includes a patch for this vulnerability. Follow these steps:
1. Identify all instances of TCPDF in your application by checking your dependency management files (composer.json, vendor directories, or manual installations)
2. Update TCPDF to the latest stable version using your package manager (e.g., composer update tecnickcom/tcpdf) or by downloading the latest release from the official repository
3. Test your PDF generation functionality thoroughly after the upgrade to ensure compatibility
4. If immediate upgrading is not possible, implement input validation to restrict the addTTFFont() method to only accept predefined, whitelisted font files from a controlled directory
5. Review server logs for any suspicious activity related to font file operations or unexpected file access patterns