gameratheart
Dec 18 2005, 03:04 AM
Major Security Issue Exists in Source of Word-Created Web pages!This is an URGENT news bulletin to anyone who owns a website!!! Problem: A serious security exploit exists in the source of these documents that allows anyone who is able to view the source of the page to gain personally identifiable information relevant to the document. This is due to Microsoft Word's method of dealing with web pages - Microsoft Word, despite being able to create Web Pages/Templates, does not actually understand their format, and so it stores the Word program data into the source of the page so that, when it is opened up later, word can read the source and translate it into a Word Page. However, since all Word documents require the name of the Author, Owner, Creator and Company, this data is also stored in the source. This data is not removed when uploading the webpage to any site, allowing people to view the source and see this data, putting your own personal security at risk. In case you did not understand the above, here is a quote from my website which summarises the above in less detail: QUOTE("Denzipets News Desk") We have had to completely change the layout of some of the pages on our server ... due to privacy implications in the document source. The problem occoured because the pages were made using Microsoft Word. So that Microsoft Word could open them again, it stored program information into the source of all the pages it made.
Unfortunately, this caused some personally identifiable information to be stored in the document's source, which posed a high risk to some of the members of the team and their families. To prevent this data from being used by malicious hackers, we have had to rewrite these pages using alternate HTML editors. Severity: Critical, especially if the details for Owner, Author or Corporation are actual names or adresses. Solution: I have found three solutions to remove these. - Edit the source of all uploaded pages and get rid of most of the header. This will get rid of the program data, however it can also muck up the design of the pages.
- After saving the document, view the document's propeties. This can be done either thorough explorer on in the File > Properties menu in Microsoft Word. Get rid of all data that identifies you as the owner of the document, or change it to not show actual names.
- Alternatively, you can save the document contents into another HTML editor, getting rid of the foreign tags. Then destroy the original word document.
It is rumoured that later versions of word do not have such an exploit, although this has not been confirmed. Personally however, I would rather not risk it and advise all people attempting to make their site through HTML Editors and other Helper programs, to steer clear from Word. This topic was made entirely by NDPA. The Quote used above, orginally posted by me, was copied from my own website, and edited as necessary. Under no circumstances may you use the above quote in any way without my explicit permission. UPDATED: Methods of fixing glitch updated. Also corrected some typos.
Reply
wild20
Dec 18 2005, 05:37 AM
This is serious! Thanks for the update. I am lucky I do not use Microsoft word for the creation of webpages. Think of the people who are literally giving out there information. Where you found this, I have no idea but it is a good piece of critical personal security. It seems strange though that Microsoft word would create a source that allows hackers to get into it. A hackers haven obviously. They should re-do it as soon as possible so thta people don't get identity theft. I know some people use Microsoft word because it is easier to upload and create templates. But never in my life would I think that hackers just love this way  It is just a good thing you posted this. Pass it on guys! Thanks again.
Reply
Saint_Michael
Dec 18 2005, 06:01 AM
nice find but lucky enough most people don't even use word to make web pages.
Reply
DreamCore
Dec 18 2005, 12:14 PM
Wow thanks for that information lycky me who does not eather use word as an webpage creator. But I dident knew that Word can wiew the source code for an page. Lol , lycky that hompage that discovered that word can rewiew sorce code from an document. 
Reply
gameratheart
Dec 18 2005, 01:31 PM
DreamCore, it is not just word that can see the source. Have you heard of "View Source"? It is easily available this way too, because word stores the data in the document header. And the website that got this data... in case you didn't read the above, it was my website.
Reply
moldboy
Dec 18 2005, 07:09 PM
Here is a site I built a Verrrry long time ago, in word. You could I all look at it for an example: http://ahsnews.itgo.com/I don't see to much information, Office version and the locaiton of the html template.
Reply
gameratheart
Jan 16 2006, 09:52 PM
QUOTE(moldboy @ Dec 18 2005, 07:09 PM) Here is a site I built a Verrrry long time ago, in word. You could I all look at it for an example: http://ahsnews.itgo.com/I don't see to much information, Office version and the locaiton of the html template. Since you used a template, Word checks the template for the Document Info. I don't know if this is the reason why the data does not show on your source though. It may be that Word 97 does not have this exploit (the source claims you use Word 97). I only tested this on Word 2000. Do tell me if other versions do/don't have this exploit.
Reply
jlhaslip
Jan 20 2006, 01:07 AM
Wow! A security consideration using a Micro$oft application. I have always been of the opinion that Html likes the simple text-editors like Notepad rather than the fancy ones. I thought it has to do with the methods the bigger editors use to store linefeeds and tabs and carriage returns, etc, but this sounds like the Html doesn't like the meta-data either. I use notepad don't have this problem.
Reply
wariorpk
Jan 20 2006, 06:50 PM
That could be very bad. Microsoft should have reviewed the code that Word created before they added this feature. Most people probably do not even know you can make web sites in Word so it is not that big of a deal. I am hoping that Microsoft takes this seriously and makes a patch or something for those who choose to use Word as their web authoring software.
Reply
Similar Topics
Keywords : s, si, e, found, source, word, created, web, pages, urgent, attention, required, word
- Javascript Postamble(); What Is It?
when viewing a web source code it appears (5)
Attention All Ipb Users/admin
Important exploit discovered! (6) Invision Power Board v2.1.6 © 2006 IPS, Inc. This is what it is written on the bottom of the
board. Not so long ago, i was surfing somewhere, (i wont say where) and i discovered a "sql
injection"exploit, a perl script. QUOTE(step28 in the hack) 28. Reload and click on the
username to the admin. You are now logged in as an ADMIN!!! Admins, pm to receive
the link where i found this. with this hack, you can log in with any user without his pass.
It's really easy to do, you just need PERL, Opera webbrowser and 3 minutes fo your life... ....
Fix To Problem: Open Source
(5) I've used various Open-source programs over time. I used Knoppix to revive an almost-dead
computer; 7-Zip to open .tar.gz files under Window$; and the Mambo CMS under PHP, Apache and
Linux for my web site. I've found most open-source programs to be faster, leaner and easie to
use than their commercial counterparts. Here's my reccomendation: use open-source software. Bugs
are patched faster, there have more features, and much lower price tags (actually, free). You might
have to do a little research to find these products; but once you do, they are worth ....
Exploits Refrence
Available source codes on NET (13) Hi all, I prefer to create a post here and send exploits all here, not in different posts ... Hope
to enjoy /smile.gif' border='0' style='vertical-align:middle' alt='smile.gif' /> :: ProZilla
"ftpsearch" Results Handling Client-Side Buffer Overflow Exploit #include #include #include
#define OVERFLOW (1 #define SLEDSIZ (1 #define RETADDR 0x806977a+SLEDSIZ/2 #define OUTPUT
"AdvResults.asp" /* * prozilla bug, found while auditing for gentoo bug #70090 *
-taviso@gentoo.org */ /* execve() /bin/id */ unsigned char shellcode =
"\x33\xc9\x83\....
Looking for s, si, e, found, source, word, created, web, pages, urgent, attention, required, word
|
|
Searching Video's for s, si, e, found, source, word, created, web, pages, urgent, attention, required, word
|
advertisement
|
|
