• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Microsoft Office XP Spreadsheet Host().SaveAs() File Creation Vulnerability

Microsoft Office XP provides a spreadsheet component that can be embedded in web pages and office documents. This spreadsheet component contains a bug in a function called HOST() that can be exploited to write arbitrary files. This can be done from office documents, and possibly other vectors such as HTML mail.

This is accomplished by embedding a spreadsheet object containing a formula similar to the following: =Host().SaveAs("arbitraryfilename")

Microsoft has released patches which address a related vulnerability (BugTraq ID 4397 "Microsoft Outlook HTML Mail Script Execution Vulnerability"). However, it has been reported that these patches do not address this issue in the Excel component of Office XP.