Possible exploits for PHPword/ PHPexcel

Asked Jan 10 '14 at 05:09

Active Jan 10 '14 at 21:33

Viewed 1,498 times

I'm trying to identify what exploits to guard against when anonymous users generate reports with PHPword and PHPexcel (or similar libraries).

Specifically, I'm worried about textarea inputs where the user can enter about half a page. The amount of text makes it hard to validate/ sanitise the data.

The two contexts are:

User submits the form to PHPword, it's processed and downloaded to that user only using headers then the file is destroyed using unlink().
User submits the form to PHPexcel, it's processed and a .xlsx written to a folder, then downloaded by us (deleted from server) and executed on our machines.

I am worried the textarea fields are large enough to attack the server or include an .xlxs exploit.

Basically what are the exploits when nothing is output to the browser or stored in a database and there is no session to hijack?

edited Jan 10 '14 at 21:33

asked Jan 10 '14 at 05:09

Aman

Where are the scripts? – sikas Jan 10 '14 at 06:40
@sikas, sorry I'm not sure what you mean about where the scripts are? – Aman Jan 10 '14 at 07:03
I mean, where are the files that has the codes .. It has to be analyzed for your question to be answered. – sikas Jan 10 '14 at 09:08
ah, I get it. No code to post as I'm just after help understanding what attacks I need to defend against. I'll improve the question ... – Aman Jan 10 '14 at 10:05

Possible exploits for PHPword/ PHPexcel

0 Answers0