doc, docx, xls and xls attachments - safe?

[Jon12345]

I have a request to have the above type files as attachments. Are these safe to allow or is there some security risk?

 

[Mendalla]

Definitely a risk. Office does force users to Enable stuff that they download now, but that still doesn't prevent someone leaving a "payload" in the form of a macro-virus and hoping someone just hits "Enable" without thinking. The risk is more to the users than you, but I wouldn't do it. Could come back and bite you. Though I suppose they could just post links to the files on a cloud drive, which shift the responsibility to the users themselves rather than on to you, the host.

 

[briansol]

anything you allow up, images included, can contain malicious stuff. It's unlikely.

It's also a good reason to store your attachments on s3/etc that way they don't sit on your box to exploit.

 

[Jon12345]

To be clear, I am referring to there being a risk to my website and server. I know that files can have malicious stuff in them, like pdfs and so on. I am just wondering if they pose an actual risk to my server and site.

 

[briansol]

yeah, that's what we're implying. if it's on your server, and it's bad, it can execute.

It's very hard to have code execute in an ms file without the 'm' suffix in it (eg xlsm) so definitely don't allow those.

 

[🔥Iggy🔥]

fwiw, i recall seeing a file scanner addon around here somewhere....not sure how good it works or if its still supported or anything but might be helpful..

 

[Jon12345]

Ok, so as I understand it, an xlsm file can be a risk if uploaded, but so can an image, correct?

 

[GPA-R]

I don't believe those files can pose risk to your server as long as they are not being parsed. I don't see any danger in just hosting them. Images can actually be more dangerous considering they are definitely being processed and parsed server side and considering that every now and then there's a vulnerability in image processing libraries.

The only risk I can think of just hosting them is an indirect one and it's when users host files on your server and then use them as a second step exploitation in an attack they are making on another server. For example if another website is vulnerable to RFI they might fetch a backdoor/payload from your server via a file they uploaded. Then you might get in trouble and get your server blacklisted or even shutdown.

p.s: saving the files in a database might be another story.