> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
iDocView is an online document parsing service designed for convenient file viewing and editing. However, a critical security flaw discovered in 2023 exposed its servers to remote code execution (RCE) via a poorly protected API.
Here's what happened — and why it matters.
What’s the Vulnerability?
In November 2023, the iDocView team released a security patch addressing a high-risk RCE vulnerability in its document preview feature (/html/2word). The root cause? Lack of proper input validation for external URLs.
Vulnerability Details
The issue lies in the remote page caching functionality. The API allows users to provide an external URL, which the system then fetches and parses. But without strict validation, attackers can craft a malicious link that causes the server to download and execute arbitrary files.
This opens the door for:
- Remote server control
- Data breaches
- Further lateral movement inside the network
How the Exploit Works
To exploit the flaw, an attacker simply sends a crafted request to the vulnerable endpoint, embedding a URL that hosts a malicious file. If successful, the server:
- Downloads the file
- Processes it
- Returns a predictable response (MIME type and status code)
- Executes attacker-controlled commands
This makes it easy to automate the attack using scripts.
Affected Versions
iDocView versions < 13.10.1_20231115
If you're running an older version, you're at risk.
Mitigation & Fix
Temporary Mitigation
If you can’t update immediately:
- Use a firewall to restrict access to the affected system
- Only allow trusted IPs or networks
- Block access to the vulnerable
/html/2wordendpoint if it's not essential
Permanent Solution
Upgrade to the latest version released on November 15, 2023.
Download it from the official site or contact their support team for a patch.
Proof of Concept (PoC)
Timeline
- Aug 23, 2023 – Vulnerability reproduced by Chaitin Security Emergency Lab
- Nov 15, 2023 – iDocView released a patched version
- Nov 21, 2023 – Vulnerability details disclosed online
- Nov 22, 2023 – Chaitin Security issued a public advisory
References
- Official advisory: https://www.idocv.com/about.html
If you're using iDocView, update immediately. Don’t let a simple document viewer become your server’s weakest link.
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
Top comments (0)