These small nuances provide the opportunity to create an XLSX file that can be used to get a better idea of what is processing the spreadsheets on the server. OpenOffice and older versions of Libre return an error for INFO functions it does not support where LibreOffice after 2015 will display "#N/A". The =INFO("osversion") function has a hard-coded value for OpenOffice/LibreOffice. This is a useful identifier for a few reasons. Most spreadsheet specs, such as XLSX or ODS, provide you with the INFO functions to give you some information about the software or system that opened the spreadsheet.Īn important observation to note here is that many websites we came across allowed for any LibreOffice support file type to be rendered, despite limiting file extensions client-side.
We used the following two methods to identify & fingerprint the document rendering service on multiple websites. Many companies rely on using LibreOffice to export common document formats to HTML/PDF due to it allowing headless file conversions. LibreOffice's Github project has over 500k commits including code that has not been updated in many years. LibreOffice is an open-source fork of OpenOffice and with some google searches you can see there are several critical CVEs for it from the past few weeks alone. We believe our research here is not final, and encourage others to look into this area. The unintended misuse of the Python-UNO bridge by the popular package unoconv resulted in CVE-2019-17400. This writeup covers our efforts to fingerprint LibreOffice, LibreOffice file detection (and abuse) & misuse of the LibreOffice Python-UNO bridge. In our attempt to fingerprint LibreOffice as a PDF rendering service, we identified multiple implementation vulnerabilities.
Slack has confirmed that no customer data was accessed using this bug. The security of file sharing is critically important to Slack and its users, and we worked with the research team to quickly implement a fix within 24 hours of receiving the report. Slack would like to thank the researchers for their work to increase the security of the open source tool LibreOffice and their responsible disclosure to Slack.
0 kommentar(er)
