Progress® Telerik® Reporting Feedback Portal
Back to Feed
Request a Feature Report a Bug
Planned
Last Updated: 16 Mar 2023 13:29 by ADMIN
Tim
Created on: 10 Mar 2023 05:16
Type: Feature Request
1
Security Vulnerability - Add an export parameter to Excel (xls & xlsx) exports to escape Macros
A security vulnerability with Excel exports from Telerik Reporting is Macro Injection attacks.
This regularly raises flags during security audits.
Essentially users can create data in the system that will appear in a cell of the report, and execute as a macro and allow running custom code on the computers of anyone who opens the xls or xlsx file.

Currently there is a setting to protect Telerik's exports CSV exports ("FormulaPrefix")
https://docs.telerik.com/reporting/doc-output/configure-the-export-formats/csv-device-information-settings

The same setting should be introduced for Excel (xls & xlsx) exports.
It should be another parameter of the xls/xlsx export extensions


2 comments
ADMIN
Ivan Ivanov
Posted on: 16 Mar 2023 13:29

Hi Tim,

We recognize this feedback, so I have logged an issue in our tracking system to mitigate this behavior in a way similar to the CSV options. I am adding 1000 Telerik points as a token of gratitude for your effort. We will do our best to include this setting in our next major release, but still you can subscribe to the item that I created on you behalf, in order to get notified of any future updates.

Regards,
Ivan Ivanov
Progress Telerik

Brand new Telerik Reporting course in Virtual Classroom - the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products. Check it out at https://learn.telerik.com/.
Tim
Posted on: 10 Mar 2023 05:21
Here is an overview of this attack vector and suggested remediation approaches:
https://owasp.org/www-community/attacks/CSV_Injection
Create an account Log In
View
Type
Status