File conversion tool Zamzar springs to action to quickly resolve web security flaws in API

4 years ago 277
BOOK THIS SPACE FOR AD
ARTICLE AD

John Leyden 28 August 2020 at 15:25 UTC

Open Office to PDF conversion posed pwnage risk to file conversion utility

A web security vulnerability that posed a severe threat to the internal systems of online file conversion utility firm Zamzar has been resolved.

Security flaws, discovered by security researchers at offensive security consultancy Bishop Fox, cantered on Zamzar’s application programming interface (API).

Bishop Fox discovered that a server-side request forgery (SSRF) vulnerability came into play when the technology was used to convert an Open Office ODT file to a PDF.

“This vulnerability executed malicious XML content embedded in the ODT file and allowed the contents of remote and local objects to be inserted into the PDF during the conversion process,” a technical write-up of the security flaws by Bishop Fox that was published on Thursday explains.

Bishop Fox reported the issue to Zamzar, which acted promptly to plug the security hole within two days. This is just as well, because the potential impact of the vulnerability was severe.

“This vulnerability allowed for SSRF and local file inclusion (LFI) as the root user,” Bishop Fox explains. “With full read access on Zamzar’s servers, an attacker could steal sensitive information like keys or source code.”

The Daily Swig has reached out to both Bishop Fox and Zamzar for comment. We’ll update this story as more information comes to hand.

READ MORE DigDash fixes SSRF flaw

Read Entire Article