Hi Fellow experts,
I'm stuck between a client and a vendor, and I need to validate my response to this issue:
The client has a production server that runs an IIS_based health care app.
The vendor recently came out with an "enhancement" whereby a user could upload an excel file to the server, the server would then run a set of macros to process the data and further upload the resultant data to a government system.
My first reaction is "WTF, you want me to enable excel macros on a production server, AND the user uploads the excel files from their own PC????"
I asked them what if the excel file the user uploads is macro infested? Response: "hmmmm"
Am I off-base here? Is there a way to secure all of this that I am not aware of?