SharePoint 2010 Security Breach: Export to Excel Ignores Security Trimming

I’m currently working on a project where there are lists where permissions are broken and set on the list item level. Basically there are different groups of users, and some should see all items, and some should only be able to view a fiew of them. Now, all of these users have contribute, and can use the ‘Export to Excel’ function, which is very important to them. Now here is the issue I found out just a few days ago. Export to Excel ignores security trimming!

So what does this actually mean? Let me illustrate using a fictional example: I have a list called Accounts, where I store important information about clients and the business I have with them. Some accounts are secret, so I break the permission inheritance on them. Let’s say I have three accounts, A, B and C. Account A is secret, and I’m the only one who has permissions to view it. Now, I have a group of colleagues, who also have access to the Accounts list, and can contribute to it. But when they visit the list, they can’t see Account A, since I have removed their permissions from it. Now what happens when one of my colleagues use the Export to Excel function? You would think that the generated Excel file would only contain accounts B and C. But no! The export function ignores the permissions of the user and only checks if the user has permissions to acces the function itself. The result is the user being able to see account A as well, giving it access to information that should be hidden. In my opinion, this has to be regarded as a bug, because if this is by design, it’s poor design indeed.

EDIT: I tested this in SharePoint 2013, and the bug seems to be fixed. Will try and see if there is a hotfix or CU fixing this issue for SP 2010.

EDIT 2: After installing the July 2014 CU for SharePoint Server 2010, I can confirm that the bug is not fixed. It has to have been fixed for SP 2013 only.

EDIT 3: It seems that security might be trimmed after all, only that it uses the current windows credentials rather than the account logged into SharePoint with. Please read Pierres great comment below. I have personally not tested this though.

4 thoughts on “SharePoint 2010 Security Breach: Export to Excel Ignores Security Trimming”

  1. Hi Johannes, I just stumble upon this security breach this morning using SharePoint 2007 in my case. I just wonder how you have addressed it: hotfix or custom code or…?

    1. Well, in our case we actually built a custom Export to Excel function, hid the old one and added the new using custom actions. This approach is not safe however since you can still access the function by typing in a certain url. It only hides it from the user interface.

      In other words. I don’t know a way to fix it securely.

      1. Hi Johannes, I did more tests and I found that the Export to Excel is actually security trimmed. What fooled me is that Sharepoint is using two authentication methods: one for the web, one for windows. My laptop is configured to use integrated windows authentication and my credentials are saved to get rid of the annoying login popups.

        What happened is that I gave Read access to a single item in a list and nothing else in a site to a dummy user account. I login as this user on my laptop, went on the web page and the security was trimmed as expected. Then I click on Actions -> Export to Excel. I saw all items. I did the same test in a library for a single document. When I did Actions -> Open in Windows Explorer, I was seeing and able to read all documents! So I thought that the security was not trimmed at all in these environment. But I was wrong.

        The explanation is that, because my laptop settings, I was actually using my own account to access the content, not the dummy user account. Thus, it was normal that I saw everything.

        To complete the test, I deleted my entry in Credentials Manager and unchecked the Integrated windows authentication. I relogged as the dummy user and clicked on Export to Excel and I saw only one item as expected. Same thing with Windows Explorer. So the security is trimmed.

        In your case, can you elaborate how you discovered your issue?

      2. That was quite a find Pierre. It’s still a security flaw, but not the kind I thought.

        It was a while back now, and I can’t remember the details, but I think I just tried the Export to Excel function in my dev environment and saw the behaviour by accident. Then I tested in the test and production environments and got the same results. Of course, since I used test accounts since my own account had full access to everything, the problem arose in all environments.

        I will update my post and reference your comment. Thanks for digging deeper into this. =)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s