Security Basics mailing list archives
Re: password protection in office XP documents
From: Leif Gregory <leifg () doh state nm us>
Date: Tue, 17 Jun 2003 10:18:15 -0600
Hello Brian, Tuesday, June 17, 2003, 7:46:42 AM, you wrote: BE> Gosh, if I wanted to bypass those, I'd copy the existing Office BE> file into a new one and make my changes, then save it over the old BE> one. Seems like it would be a quicker "hack", and would be easier BE> for most people than saving it as HTML and editing the source BE> code, then saving it back as an Office file. BE> Now, one could get into file system rights arguments, but if you save it BE> as HTML, you are creating a new file. Now there will be a .doc and an BE> .html, and if you have rights to turn the .html back into the .doc, then BE> you can do what I mentioned above as well. BE> I still fail to see any flaw here. What was reported is opening the HTML BE> file in Office and the protection is gone. The HTML file is a *new* file BE> that you created; the original Office file still has the protection. But see, it's not a file rights issue. It's an XML document property tag (if that is the right terminology). It's an integral piece of the Word document. Copying it retains the document properties, therefore the protection. Converting it to HTML brings the document properties into plaintext, which you can highlight and delete. For instance, if you convert a protected document to HTML, and then, without changing anything, save (convert) the HTML document back into a Word document, it retains the document properties and the protection. It's not opening the HTML document in Word, it's viewing it's source and deleting the XML document properties tag that makes this work. Here's a test document I created and its resulting document property tag when the HTML source is viewed after conversion. ,------ [ HTML source of document after conversion to HTML ] | <o:DocumentProperties> | <o:Author>Leif Gregory</o:Author> | <o:LastAuthor>Leif Gregory</o:LastAuthor> | <o:Revision>2</o:Revision> | <o:TotalTime>12</o:TotalTime> | <o:Created>2003-06-17T16:02:00Z</o:Created> | <o:LastSaved>2003-06-17T16:02:00Z</o:LastSaved> | <o:Pages>1</o:Pages> | <o:Words>2</o:Words> | <o:Characters>14</o:Characters> | <o:Company>DOH</o:Company> | <o:Lines>1</o:Lines> | <o:Paragraphs>1</o:Paragraphs> | <o:CharactersWithSpaces>15</o:CharactersWithSpaces> | <o:Version>10.4219</o:Version> | </o:DocumentProperties> `---------- What I find interesting, is that these document properties do not actually contain the protection method. That portion is contained in the WordDocument portion of the document as follows: ,------ [ Portion appearing just below the document properties ] | <w:WordDocument> | <w:Zoom>0</w:Zoom> | <w:DocumentProtection>Comments</w:DocumentProtection> | <w:TrackRevisions/> | <w:Compatibility> | <w:BreakWrappedTables/> | <w:SnapToGridInCell/> | <w:WrapTextWithPunct/> | <w:UseAsianBreakRules/> | </w:Compatibility> | <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> | </w:WordDocument> `---------- The interesting part is that you can leave this portion in the document, while deleting the first quoted portion, and it works. You can clearly see that the second quoted area shows the protection method as <w:DocumentProtection>Comments</w:DocumentProtection>. The first quoted portion (DocumentProperties) makes no reference to the second portion (WordDocument), but the "hack", so to speak, works just by deleting the first portion. My guess is it's something to do with the way XML works, which I have no real experience with. Now I agree that this isn't so much a flaw as it is an interesting fluke. It particularly appeals to me because people around here (my work) are way overly protective of everything. As a Systems Analyst, I get a lot of requests by people who have received a document they need to do something with, and a change needs to be made to it, but they can't because the document creator protected it. For clarity sake here is the entire document properties in the correct order. ,------ [ Whole of XML for Document Properties ] | <!--[if gte mso 9]><xml> | <o:DocumentProperties> | <o:Author>Leif Gregory</o:Author> | <o:LastAuthor>Leif Gregory</o:LastAuthor> | <o:Revision>2</o:Revision> | <o:TotalTime>12</o:TotalTime> | <o:Created>2003-06-17T16:10:00Z</o:Created> | <o:LastSaved>2003-06-17T16:10:00Z</o:LastSaved> | <o:Pages>1</o:Pages> | <o:Words>2</o:Words> | <o:Characters>14</o:Characters> | <o:Company>DOH</o:Company> | <o:Lines>1</o:Lines> | <o:Paragraphs>1</o:Paragraphs> | <o:CharactersWithSpaces>15</o:CharactersWithSpaces> | <o:Version>10.4219</o:Version> | </o:DocumentProperties> | </xml><![endif]--><!--[if gte mso 9]><xml> | <w:WordDocument> | <w:SpellingState>Clean</w:SpellingState> | <w:GrammarState>Clean</w:GrammarState> | <w:DocumentProtection>Comments</w:DocumentProtection> | <w:TrackRevisions/> | <w:Compatibility> | <w:BreakWrappedTables/> | <w:SnapToGridInCell/> | <w:WrapTextWithPunct/> | <w:UseAsianBreakRules/> | </w:Compatibility> | <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> | </w:WordDocument> | </xml><![endif]--> `---------- Take care. -- Leif --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- password protection in office XP documents security (Jun 13)
- RE: password protection in office XP documents Larry Seltzer (Jun 16)
- Re: password protection in office XP documents Brian Eckman (Jun 16)
- Re: password protection in office XP documents Leif Gregory (Jun 16)
- Re: password protection in office XP documents Brian Eckman (Jun 17)
- Re: password protection in office XP documents Leif Gregory (Jun 17)
- Re: password protection in office XP documents Brian Eckman (Jun 17)
- RE: password protection in office XP documents security (Jun 18)
- Re: password protection in office XP documents Brian Eckman (Jun 18)
- RE: password protection in office XP documents security (Jun 18)
- Re: password protection in office XP documents Leif Gregory (Jun 16)
- <Possible follow-ups>
- Re: password protection in office XP documents John Benstead (Jun 16)
- RE: password protection in office XP documents matt willson (Jun 16)
- RE: password protection in office XP documents news.ajanas (Jun 17)
- Re: password protection in office XP documents Leif Gregory (Jun 17)
- Re: password protection in office XP documents Brian Eckman (Jun 17)
- Re: password protection in office XP documents Leif Gregory (Jun 17)
- RE: password protection in office XP documents matt willson (Jun 16)