A recent security disclosure has unveiled a critical vulnerability within Microsoft 365's PDF export functionality, enabling attackers to perform Local File Inclusion (LFI) attacks and access sensitive files on the server. This flaw, now patched by Microsoft, underscores the importance of rigorous security assessments in cloud-based services.
Discovery and Initial Assessment
The vulnerability was identified during a routine client assessment when a security researcher examined a web application feature that converted documents to PDF format and published them on SharePoint. Initially perceived as a client-side issue, further investigation revealed that the application utilized Microsoft's official APIs, indicating the flaw resided within Microsoft's infrastructure.
Technical Exploitation
The core of the vulnerability lay in the HTML-to-PDF conversion process. By embedding specific HTML tags such as
<embed>, <object>, and <iframe> into HTML content, attackers could force the inclusion of local files from the server's file system into the generated PDF. This method allowed unauthorized access to sensitive server-side data, including configuration files like web.config and win.ini.Potential Risks and Impact
Exploitation of this vulnerability could lead to significant security breaches, including unauthorized access to confidential information, exposure of database credentials, and potential leakage of application source code. In multi-tenant environments, there was a risk of cross-tenant data exposure if attackers could identify paths to temporary files.
Microsoft's Response and Mitigation
Upon disclosure, Microsoft conducted a thorough investigation over four months, culminating in the release of a patch to remediate the vulnerability. The researcher was awarded a $3,000 bounty by Microsoft's Security Response Center (MSRC) for responsibly reporting the issue.
Broader Context and Similar Vulnerabilities
This incident is not isolated. Similar vulnerabilities have been identified in other systems. For instance, a Local File Inclusion vulnerability was found in the
mobile/downloadfile.aspx component, allowing unauthenticated attackers to access sensitive files by crafting specific GET requests. (northit.co.uk)Recommendations for Organizations
To mitigate such vulnerabilities, organizations should:
- Implement Strict Input Validation: Ensure that all user inputs are properly sanitized to prevent malicious code execution.
- Restrict File Permissions: Limit access to sensitive files and directories to authorized users only.
- Regular Security Audits: Conduct periodic assessments to identify and address potential vulnerabilities.
- Stay Updated: Apply security patches and updates promptly to protect against known vulnerabilities.
The discovery and remediation of this LFI vulnerability in Microsoft 365's PDF export feature highlight the critical need for continuous security vigilance in cloud services. Organizations must adopt proactive security measures to safeguard sensitive data and maintain trust in their digital infrastructure.
Source: Cyber Press LFI Vulnerability in Microsoft 365 PDF Export Lets Attackers Access Confidential Files
