(Note: when I say things like
not enough security or
insecure, it is not against any developer.
Security is something complex, and it is very hard to see its own flaws. I am grateful for all open-source developers
work, and this article is just about reporting, learning and self-improvement.)
(Note 2: this article will be updated for new data, as it occurs)
PPTX2HTML is a library used by some projects in order to convert
HTML documents. A
PPTX file is a complex file format composed of:
XMLfiles containing data, references, styling and many other informations;
- binary files, for objects, images and other data;
- All of it, compressed into one file in
Converting PPTX to HTML
In order to convert a
PPTX file into
HTML, PPTX2HTML do the following :
- Unzip the file (as the
.pptxis in a
- Interpret the
- Generate an
HTMLnode using retrieved data.
Unzipping is performed using the Stuk/jszip library, I did not find anything relevant on that part.
XML is performed using TobiasNickel/tXml library, I did not
find anything relevant on that part (I was looking for XXE / XML Bomb / JS injection).
HTML generation is not performed with enough security measures, leading to
Cross-Site Scripting (XSS) flaws (more info).
PPTX2HTML generate HTML using concatenation. It is a bad practice because you need to escape / unescape strings in many tricky ways.
var linkURL = warpObj["slideResObj"][linkID]["target"]; return "<span class='text-block " + cssName + "'><a href='" + linkURL + "' target='_blank'>" + text.replace(/\s/i, " ") + "</a></span>";
linkURL as a standard value, such as
https://google.com, the generated HTML will be:
<span class='text-block foo'> <a href='https://google.com' target='_blank'> bar </a> </span>
linkURL has a maliciously crafted URL, such as
'></a><img src='b' onError='alert("XSS !")'><a a=', the
generated HTML will be:
<span class='text-block foo'> <a href=''></a> <img src='b' onError='alert("XSS !")'> <a a='' target='_blank'> bar </a> </span>
alert("XSS !") (which can be changed to anything malicious).
You can try this exemple using this file, using that exact same payload.
You can test the PPTX2HTML library online here: http://g21589.github.io/PPTX2HTML/, it will give the following result:
- 2018-11-27 : Vulnerability found
- 2018-11-27 : Original author (g21589) contacted
- 2018-11-27 : Github Issue created contacted
- 2018-11-27 : Reported on npm registry
- 2018-12-04 : NPM reached out the maintainer
- 2018-12-07 : NPM published an advisory (but I did not manage to find it ...)
- 2019-01-02 : Releasing this report