Open Office to PDF conversion posed pwnage risk to file conversion utility

UPDATED A web security vulnerability that posed a severe threat to the internal systems of online file conversion utility firm Zamzar has been resolved.

Security flaws, discovered by security researchers at offensive security consultancy Bishop Fox, cantered on Zamzar’s application programming interface (API).

Bishop Fox discovered that a server-side request forgery (SSRF) vulnerability came into play when the technology was used to convert an Open Office ODT file to a PDF.

“This vulnerability executed malicious XML content embedded in the ODT file and allowed the contents of remote and local objects to be inserted into the PDF during the conversion process,” a technical write-up of the security flaws by Bishop Fox that was published on Thursday explains.

Bishop Fox reported the issue to Zamzar, which acted promptly to plug the security hole within two days. This is just as well, because the potential impact of the vulnerability was severe.

“This vulnerability allowed for SSRF and local file inclusion (LFI) as the root user,” Bishop Fox explains. “With full read access on Zamzar’s servers, an attacker could steal sensitive information like keys or source code.”

Nipped in the bud

Chris Flanagan, security consultant at Bishop Fox, told The Daily Swig that the vulnerability was “fairly easy” to exploit.

“A specially crafted OpenOffice document was uploaded to a third-party web application,” he explained. “That web application utilized the Zamzar API to convert the OpenOffice document to a PDF, and in doing so, included the contents of a file from Zamzar’s API server.”

Bishop Fox uncovered the vulnerability in the process of conducting a penetration test on a client’s web application.

Chris Whyley, CTO at Zamzar, told The Daily Swig that there had been no malicious exploitation of the vulnerability prior to its discovery by Bishop Fox.

"We take security issues such as this extremely seriously at Zamzar, and are thankful to BishopFox for finding and reporting this vulnerability responsibly,” Whyley explained. “Our team worked quickly to remediate the issue, and did so within 48 hours of the first report.

“A subsequent audit of our systems revealed that no Zamzar or customer data was impacted by this issue."

Zamzar is an online file conversion service that can convert over 1100 file formats, including documents, images, video, and audio. Web developers can use the Zamzar service when building their web application.

When a user uploads a file to a web application, that web application can use the Zamzar API to convert it to the web developer’s desired format.


This story has been updated to add comment from Bishop Fox's Chris Flanagan and Zamzar.

READ MORE DigDash fixes SSRF flaw