We are writing a (web) application that will include a function that will read data to and from Excel. Some of these inputs will come directly from the user.
I'm trying to assess whether there are any significant attack vectors here. Obviously we have tried and tested patterns for sanitizing data for other technologies (e.g. SQL injection), but I'm not really clear what issues might exist for an Excel document.
I'm trying to establish whether there are any values that could (if blindly used) cause:
- Malicious execution of other applications
- Application to hang, thus hanging the process
- Other data in the excel sheet to be changed
The excel sheet is never exposed to the user, so I'm not so worried about serving the document back to the user. I am instead worried about hardening the server that the application will run on.
We are running an ASP.NET (c#) web application around a SpreadsheetGear component, if that is relevant.
