re: Don't trust that data!

Eric Carter — Tue, 13 Apr 2004 06:22:00 GMT

It seems to me that the attack doesn't even have to be even so sophisticated as to involve formulas and certainly doesn’t need to involve code.

If some script on the server is grabbing data out of the spreadsheet, it is going to want to look in a particular location of the spreadsheet to get the data.

There are two ways I know of for the script to grab this data out of the spreadsheet. First, you create a named range--for example "ExpenseAmount" maps to Sheet1!$A$5.. Second, you do it based on absolute adress, just Sheet1!$A$5.

Either of these can be subverted. For a named range, users can just edit the name of the range to point to something else--say Sheet3!$ZZ$3000. Then they put into the Sheet1!$A$5 the reasonable expense and into Sheet3!$ZZ$3000 the unreasonable one that no one--except the script on the server--will look at.

If the script is grabbing data out of the spreadsheet based on an absolute location, the attacker just has to hide column A and replace it with a column B. With the unreasonable number in the hidden column A and the reasonable number in the unhidden column B, once again the same attack is enabled without any real fanciness. If you want to get fancy, you can hide the row and column headers in Excel so you wouldn't be able to even detect this attack.

It seems like launching an attack via cached data is the hardest of all possible attacks because you actually have to write a bunch of code to do so.

Also, I wonder if document protection in Excel/Word could be used to provide a secure UI. It sure seems unfortunate to have to display a WinForm to show your Excel data.

Follow up to

Office Development, Security, Randomness... — Tue, 13 Apr 2004 20:19:00 GMT