remote/local file inclusion (RFI/LFI) vulnerabilities handling

Question

Hello,Triggered by a security questionnaire we had to answer for a customer we had to think about the question “where would remote/local file inclusion (RFI/LFI) vulnerabilities apply in our product?” We concluded that the only place where this might play a role would be the publication engine. In this context customers are loading MS Word document templates (or MS PowerPoint templates) which are enhanced at run time to produce new documents (MS Word, PowerPoint or PDF). Conceivably an evil person could create a document template including malicious code. How you would prevent any obstructive effects of RFI attacks embedded into a MS Word template file they receive or use.RegardsIouri

Manikandan Ravichandran · Accepted Answer

Hi Iouri,Thank you for contacting Syncfusion support.Our file format libraries (Essential DocIO & Essential Presentation) are similar to the Microsoft Office COM libraries to iterate with the document elements explicitly and perform necessary manipulation. We doesn’t handled security related things when process with given documents (like detecting vulnerabilities and handling them). To avoid uploading malicious data from customer end, we suggest you to handle these kind of problems by scanning the customer inputs (Implementing well Network security or Antivirus) and then pass the input files to server machine.Please let us know if you have any other questions.Regards,Manikandan Ravichandran