I’m writing a web app that will read data from an Excel file submitted by an authenticated user by opening an OLEDB connection to it. Can anyone tell me the security risks of opening up an Excel file this way? I know dangerous macros can be embedded in excel files, but is that still a risk when using a OLEDB connection?
No, there are no “Excel” security risks using OLEDB to read data from Excel workbooks. Any security risks will be through ADO (OLEDB) and not the Microsoft Excel application. Therefore, macros are not a concern, nor are cell formulas.
You may want to search for “ado oledb security excel” to satisfy your curiosity, but I do not believe you will find anything to worry about.
The first problem is you need to make sure that after the file uploaded that it cannot be accessed by the public. Make sure the files are stored outside of the web root. You also have to make sure they don’t upload a file with a
.php extension, or a file name that contains
../../../../../. The ‘content-type’ is a user controlled variable and checking this value is a complete and total waste.
Next up, is that when you open an excel file this way it has to be parsed. This leads to Buffer Overflows like this one.
Make sure you system is fully up-to-date, but even then Microsoft has a terrible security track record and its likely that you’ll be vulnerable for many days out of each year.