Apache OpenOffice (AOO) Bugzilla – Issue 48659
Graphics-Interaction-Calls : Uncontrolled execution of possibly harmful code.
Last modified: 2005-05-12 11:27:36 UTC
In a presentation you can link an interaction command to a graphic contained in the presentation. The user may click on the graphic in edit-mode or fullscreen-viewing-mode [F5] and will hereby start the linked executable. The problem is that when opening a presentation in OOo "graphic-interaction-calls" do not get checked for authorization like traditional macro programs and will later be executed without any sort of restrictions. Problems arise when attackers create presentations which have graphics spawned accross the whole slide and are thereby leading the user into clicking the graphic linked with malicious code. This scenario could be fruitful in any case where users are navigating in full-screen-mode via mouse (f.e. left-button mouse to proceed to next slide) or are just working with the presentation in normal edit-mode. Further problems arise due to the fact, that OOo stores the link to the executable in the file content.xml as relative path such as f.e. <presentation:event-listener script:event-name="dom:click" presentation:action="execute" xlink:href="../your-malicious-code-deep-hidden-and-named-as-an-graphic-file-here" xlink:type="simple" xlink:show="new" xlink:actuate="onRequest"/> thus allowing attackers to transfer malicious code into the system, because the harmful code be hidden in subsequent directory structures such as a 'graphics' directory. (Virus scanners should be able detect the malicious code, however situations remain, where users might be opening foreign presentation having not checked file contents before..) I'd like to nominate this issue as showstopper for 2.0
Created attachment 25761 [details] sample file
Reassigned. Please decide how severe this is and what can be done about it. Thanks.
Sorry, wrong owner.
Adding myself to CC...
Since we don't have time for any ui changes yet, I will try to recycle the hyperling security warning dialog. Therefore, if a user clicks on a shape with a execute program interaction, the dialog with title "Security Warning" and text "This hyperlink is going to open "%s". Do you want to proceed?" pops up and gives the user the chance to cancel execution. Anyone agree that this is a good solution for OOo 2.0?
Ok, fixed as explained above. When clicking on help the help text is actually wrong since it only talks about macros. But I guess thats not that bad since it is also wrong for hyperlinks. I filed issue 48687 to have a better fix for next feature release Solution was to execute SID_OPENDOC instead of using sal to execute a ClickAction_PROGRAM url. fixed in fusel.cxx and slideshowimpl.cxx
Please note, the given bugdoc will not trigger this dialog. It will only come on executables like .exe .com .bat .pif e.t.c., not on graphics or documents
Verified on CWS, back to qa re-open issue and reassign to wg@openoffice.org
reassign to wg@openoffice.org
reset resolution to FIXED
hi all, it's great to see this fixed so soon. However, if i understand correctly the problem is not fully solved so far: >> [..] this dialog. It will only come on >>executables like .exe .com .bat .pif e.t.c., not on graphics or documents Does this mean that the fix will not block all of Graphics-Interaction-Calls?
Reviewed in CLs absence. The code in slideshowimpl.cxx rev. 1.18.26.1 and fusel.cxx rev. 1.31.144.1 looks OK.
Verified in CWS.
Tested in master m103. Closed.