OpenOffice.org Forum at OOoForum.orgThe OpenOffice.org Forum
 
 [Home]   [FAQ]   [Search]   [Memberlist]   [Usergroups]   [Register
 [Profile]   [Log in to check your private messages]   [Log in

security flaw - has this been seen before - Execl import
Goto page 1, 2  Next
 
Post new topic   Reply to topic    OOoForum.org Forum Index -> OpenOffice.org Calc
View previous topic :: View next topic  
Author Message
fauxn
Newbie
Newbie


Joined: 30 Apr 2006
Posts: 3

PostPosted: Sun Apr 30, 2006 7:43 pm    Post subject: security flaw - has this been seen before - Execl import Reply with quote

Hi all,

This is potentially a major problem. In Excel it's possible to protect a workbook preventing anyone from modifying data validation. However, upon importing the Excel file into OOc the protection is able to be turned off without the use of the password set in Excel effectively bypassing the workbook protection. This also occurs visa versa! Sad

Has this been noticed before (if not I'll add this to the bug list)?

Cheers
Noel
Back to top
View user's profile Send private message
noranthon
Super User
Super User


Joined: 07 Jul 2005
Posts: 3318

PostPosted: Sun Apr 30, 2006 10:58 pm    Post subject: Reply with quote

Comments have been made about the former and I gained the impression that that was regarded as a security flaw in excel. If it happens vice versa, I believe it would be in OOo's interest to file an issue.
Back to top
View user's profile Send private message
fauxn
Newbie
Newbie


Joined: 30 Apr 2006
Posts: 3

PostPosted: Sun Apr 30, 2006 11:24 pm    Post subject: Reply with quote

The latter was the case on a Mac, I'll test it on a windows machine, either way I'll post a bug on the OO site.

Cheers
Noel
Back to top
View user's profile Send private message
Villeroy
Super User
Super User


Joined: 04 Oct 2004
Posts: 10106
Location: Germany

PostPosted: Mon May 01, 2006 1:00 am    Post subject: Reply with quote

There is no password-protection in Excel. You can read the entire file, when you know about the file format. There is just a block of bytes, indicating that the app should ask for a password if the block has other bytes than [...]. When using a password with a Calc-document the file gets encrypted. Same with those VBA-passwords. If you are curious about a VBA-macro in a document, just open in OOo.
Back to top
View user's profile Send private message
9point9
Moderator
Moderator


Joined: 31 Aug 2004
Posts: 3875
Location: UK

PostPosted: Mon May 01, 2006 1:09 am    Post subject: Reply with quote

fauxn wrote:
either way I'll post a bug on the OO site.

It's not an OOo bug at all. It's an obvious security flaw in the Excel format. Entering a bug report wouldn't be worthwhile as it'll probably be marked as invalid.

OOo is only doing what it is supposed to do: Interpret as much as the Excel file as it can. SInce the file has no form of encyption, there is nothing to stop OOo from opening it. This is a very useful thing to be able to do.
_________________
Arch Linux
OOo 3.2.0

OOoSVN, change control for OOo documents:
http://sourceforge.net/projects/ooosvn/
Back to top
View user's profile Send private message Visit poster's website
noranthon
Super User
Super User


Joined: 07 Jul 2005
Posts: 3318

PostPosted: Mon May 01, 2006 1:25 am    Post subject: Reply with quote

The flaw is that it apparently works the other way around. He was able to bypass protection on an OOo document opened in the other programme.
Back to top
View user's profile Send private message
Villeroy
Super User
Super User


Joined: 04 Oct 2004
Posts: 10106
Location: Germany

PostPosted: Mon May 01, 2006 1:37 am    Post subject: Reply with quote

Sorry for getting this wrong. You have an issue with the protection data-validation rather than file-protection. Calc treats this feature as an advanced edit help, preventing typos and misleading entries. It's not a security-feature, able to keep integrity of your data. This can be done more easily and reliable with a *simple* database. A spreadsheet is designed to keep any kind of data in any row or column.
Back to top
View user's profile Send private message
9point9
Moderator
Moderator


Joined: 31 Aug 2004
Posts: 3875
Location: UK

PostPosted: Mon May 01, 2006 1:38 am    Post subject: Reply with quote

noranthon wrote:
The flaw is that it apparently works the other way around. He was able to bypass protection on an OOo document opened in the other programme.

To the best of my knowledge OOo can not properly protect data in foreign formats. It's not really a flaw and as a feature would be very hard to implement due to the closed specification of the Excel format.
_________________
Arch Linux
OOo 3.2.0

OOoSVN, change control for OOo documents:
http://sourceforge.net/projects/ooosvn/
Back to top
View user's profile Send private message Visit poster's website
noranthon
Super User
Super User


Joined: 07 Jul 2005
Posts: 3318

PostPosted: Mon May 01, 2006 2:06 am    Post subject: Reply with quote

Which exposes a weakness in this whole strategy of MS-compatibility. Ho-hum. Cool
Back to top
View user's profile Send private message
David
Super User
Super User


Joined: 24 Oct 2003
Posts: 5668
Location: Canada

PostPosted: Mon May 01, 2006 4:54 am    Post subject: Re: security flaw - has this been seen before - Execl import Reply with quote

Add it to Excel's bug list. A long time ago now I noticed that a "protected" Excel file could have the protection bypassed by simply opening it in Quattro Pro. That may not always work, but certainly did at that level.

I have not had the opportunity, or urge to test Quattro Pro's protection capability in the same way. Perhaps someone else, or yourself, might have the time to do this?

David.
Back to top
View user's profile Send private message
fauxn
Newbie
Newbie


Joined: 30 Apr 2006
Posts: 3

PostPosted: Tue May 02, 2006 8:12 pm    Post subject: Reply with quote

Hi all,

I tested the reverse on a Window$ box, as expected, the same result.

Given this problem, there should be a warning that the protection will be void if saved in another format such as Excel, untill M$ open up Excel sometime in the next 1K years. Not just the standard warning that some features maybe lost.

Is this protection void if saved in an other formats such as the open document format?

Ok, I accept that it's not a bug in OO, but the above comment should be come a feature request. This issue may encourage M$ to either open the Excel format a little more or adopt the open document format.

Cheers
Noel
Back to top
View user's profile Send private message
Villeroy
Super User
Super User


Joined: 04 Oct 2004
Posts: 10106
Location: Germany

PostPosted: Tue May 02, 2006 10:57 pm    Post subject: Reply with quote

*Their* future is DRM (newspkeak: "trusted computing").
http://en.wikipedia.org/wiki/Digital_Rights_Management
Back to top
View user's profile Send private message
9point9
Moderator
Moderator


Joined: 31 Aug 2004
Posts: 3875
Location: UK

PostPosted: Wed May 03, 2006 12:47 am    Post subject: Reply with quote

fauxn wrote:
Is this protection void if saved in an other formats such as the open document format?

In OpenDocument it will work fine and to the best of my knowledge would be unbreakable.

fauxn wrote:
This issue may encourage M$ to either open the Excel format a little more or adopt the open document format.

I prefer the latter. The former I don't see to be possible as I'm really not sure if there actually is a specification as such.
_________________
Arch Linux
OOo 3.2.0

OOoSVN, change control for OOo documents:
http://sourceforge.net/projects/ooosvn/
Back to top
View user's profile Send private message Visit poster's website
sonrock3
Newbie
Newbie


Joined: 10 May 2006
Posts: 4
Location: Midlands, UK

PostPosted: Wed May 10, 2006 3:59 am    Post subject: passworded files Reply with quote

Ditto!
As a new OOo user I was surprised and shocked to discover this security flaw. But it's useful to know (from one post here) that I cannot rely on file passwording to protect my spreadsheets from users being able to modify them (e.g. to remove my name + copyright statements so that they can re-present them as there own!)

Or put it another way, can anyone suggest how to make my files properly secure (from users modifying them an dpreferably even to stop users saving them)?
_________________
Stephen on rock 3
Back to top
View user's profile Send private message
9point9
Moderator
Moderator


Joined: 31 Aug 2004
Posts: 3875
Location: UK

PostPosted: Wed May 10, 2006 7:24 am    Post subject: Reply with quote

If you're talking about Excel files, there is no way. If you just have a table of numbers that you want to present then do it as a PDF.
_________________
Arch Linux
OOo 3.2.0

OOoSVN, change control for OOo documents:
http://sourceforge.net/projects/ooosvn/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    OOoForum.org Forum Index -> OpenOffice.org Calc All times are GMT - 8 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group