##################################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/en/research/advisories/
#
################# ##################################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/en/research/advisories/
#
##################################################################
#
# Product: iText PDF Library
# Vendor: iText Group
# CVE ID: CVE-2017-9096
# CSNC ID: CSNC-2017-017
# Subject: XML External Entity Attack (XXE)
# Risk: Medium
# Effect: Remotely exploitable
# Author: Benjamin Bruppacher <benjamin.bruppacher@compass-security.com>
# Date: 2017-11-06
#
##################################################################

Introduction:
-------------
iText is a software developer toolkit that allows users to integrate PDF functionalities within their applications, processes or products.

The used XML parsers inside the library are not configured to disable external entities. This can be used for XML External Entity Attacks[1].

Affected versions:
---------
Vulnerable:
* 2.0.8
* 5.5.11
* 7.0.2
Not vulnerable:
* 5.5.12
* 7.0.3

Technical Description
---------------------
The attack can be carried out by submitting a malicious PDF to an iText application that parses XML data.
By providing a malicious XXE payloads inside the XML data that resides in the PDF, an attacker can for example extract files or forge requests on the server.

Timeline:
---------
2017-05-10: Discovery by Benjamin Bruppacher
2017-05-15: Initial vendor notification
2017-08-01: Vendor releases patch
2017-11-06: Disclosure of the advisory

References:
-----------
[1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing