mailing list archives
Re: Remote file inclusion by office applications
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 13 Dec 2012 09:44:15 -0700
-----BEGIN PGP SIGNED MESSAGE-----
On 12/13/2012 07:59 AM, Timo Warns wrote:
I would like to hear some opinions on whether remote file inclusion
by office applications should be considered as security-relevant.
At a minimum it can violate confidentiality (e.g. using to track
opening of a file), at worst it can be used a vector for attack code.
- Under certain conditions, remote content is directly embedded
into a document. This may allow to extract confidential data. For
example, LibreOffice/OpenOffice directly embed remote content when
converting a document into the PDF format. An attacker may send a
document referencing confidential data to a victim asking the
victim to convert the file. If the victim converts and sends the
document back, the attacker receives the confidential data.
In my opinion, these issues are a question of user expectation.
Users are aware that web browsers may access remote content even
when opening local files. I don't think users are aware that office
application may do the same. An 'offline mode' for office
applications that is enabled by default could meet user
I just did some googling for LibreOffice and going through the config
UI in LibreOffice and can't find the option to disable or have it
prompt me when loading external data references. If anyone knows how
to block external data in LibreOffice by default I'd love to know how.
I'm kind of leaning towards classifying this as a security issue since
I expected there is some way to disable it or at least tell it to
prompt me when a document tries to go get an external data source
(e.g. "this document contains external data, the URLs/file paths it is
trying to reference are: [list of locations]") but apparently there
is no way to disable/have this prompt (at least that I can find in
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----