Jump to content
xisto Community
gameratheart

S Si/e Found In Source Of Word-created Web Pages! URGENT ATTENTION REQUIRED if using word

Recommended Posts

Major Security Issue Exists in Source of Word-Created Web pages!

 

This is an URGENT news bulletin to anyone who owns a website!!!

 

Problem: A serious security exploit exists in the source of these documents that allows anyone who is able to view the source of the page to gain personally identifiable information relevant to the document. This is due to Microsoft Word's method of dealing with web pages - Microsoft Word, despite being able to create Web Pages/Templates, does not actually understand their format, and so it stores the Word program data into the source of the page so that, when it is opened up later, word can read the source and translate it into a Word Page.

 

However, since all Word documents require the name of the Author, Owner, Creator and Company, this data is also stored in the source. This data is not removed when uploading the webpage to any site, allowing people to view the source and see this data, putting your own personal security at risk.

 

In case you did not understand the above, here is a quote from my website which summarises the above in less detail:

 

We have had to completely change the layout of some of the pages on our server ... due to privacy implications in the document source. The problem occoured because the pages were made using Microsoft Word. So that Microsoft Word could open them again, it stored program information into the source of all the pages it made.

 

Unfortunately, this caused some personally identifiable information to be stored in the document's source, which posed a high risk to some of the members of the team and their families. To prevent this data from being used by malicious hackers, we have had to rewrite these pages using alternate HTML editors.


Severity: Critical, especially if the details for Owner, Author or Corporation are actual names or adresses.

 

Solution: I have found three solutions to remove these.

Edit the source of all uploaded pages and get rid of most of the header. This will get rid of the program data, however it can also muck up the design of the pages.

After saving the document, view the document's propeties. This can be done either thorough explorer on in the File > Properties menu in Microsoft Word. Get rid of all data that identifies you as the owner of the document, or change it to not show actual names.

Alternatively, you can save the document contents into another HTML editor, getting rid of the foreign tags. Then destroy the original word document.

It is rumoured that later versions of word do not have such an exploit, although this has not been confirmed. Personally however, I would rather not risk it and advise all people attempting to make their site through HTML Editors and other Helper programs, to steer clear from Word.

 

This topic was made entirely by NDPA. The Quote used above, orginally posted by me, was copied from my own website, and edited as necessary. Under no circumstances may you use the above quote in any way without my explicit permission.

 

UPDATED: Methods of fixing glitch updated. Also corrected some typos.

Edited by NDPA (see edit history)

Share this post


Link to post
Share on other sites

This is serious! Thanks for the update. I am lucky I do not use Microsoft word for the creation of webpages. Think of the people who are literally giving out there information. Where you found this, I have no idea but it is a good piece of critical personal security.It seems strange though that Microsoft word would create a source that allows hackers to get into it. A hackers haven obviously. They should re-do it as soon as possible so thta people don't get identity theft.I know some people use Microsoft word because it is easier to upload and create templates. But never in my life would I think that hackers just love this way ;) It is just a good thing you posted this. Pass it on guys! Thanks again.

Share this post


Link to post
Share on other sites

Wow thanks for that information lycky me who does not eather use word as an webpage creator. But I dident knew that Word can wiew the source code for an page. Lol , lycky that hompage that discovered that word can rewiew sorce code from an document. ;)

Share this post


Link to post
Share on other sites

DreamCore, it is not just word that can see the source. Have you heard of "View Source"? It is easily available this way too, because word stores the data in the document header.And the website that got this data... in case you didn't read the above, it was my website. ;)

Share this post


Link to post
Share on other sites

Here is a site I built a Verrrry long time ago, in word.  You could I all look at it for an example:

http://ahsnews.itgo.com/

 

I don't see to much information, Office version and the locaiton of the html template.

213975[/snapback]

Since you used a template, Word checks the template for the Document Info. I don't know if this is the reason why the data does not show on your source though.

 

It may be that Word 97 does not have this exploit (the source claims you use Word 97). I only tested this on Word 2000.

 

Do tell me if other versions do/don't have this exploit.

Share this post


Link to post
Share on other sites

Wow! A security consideration using a Micro$oft application.I have always been of the opinion that Html likes the simple text-editors like Notepad rather than the fancy ones. I thought it has to do with the methods the bigger editors use to store linefeeds and tabs and carriage returns, etc, but this sounds like the Html doesn't like the meta-data either.I use notepad don't have this problem.

Share this post


Link to post
Share on other sites

That could be very bad. Microsoft should have reviewed the code that Word created before they added this feature. Most people probably do not even know you can make web sites in Word so it is not that big of a deal. I am hoping that Microsoft takes this seriously and makes a patch or something for those who choose to use Word as their web authoring software.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.