-
Notifications
You must be signed in to change notification settings - Fork 437
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSV Injection Vulnerability #5465
Comments
Just to confirm, this is not an issue with our CSV import but if a row had bad data the exported CVS has an issue. We use https://datatables.net/ if you have a chance, maybe you can help see if they have fixed that. |
@DawoudIO I think the problem lies in the export feature. It would be nice to have an option in download csv to escape strings that begin with "+","-","@", or "=" by prepending "\t". |
I'm not seeing how this is a particularly useful bug report. Anyone can create a CSV file with any arbitrary text in it using any text editor or text generation tool. How using ChurchCRM to generate a CSV with questionable content is a "bug" leaves me perplexed. For example, this logic implies the bash echo -e "Header 1, Header 2, Header 3\n1,=10+20+cmd|' /C calc'!A0,Foo bar\n2,Hello world,Text text" > test.csv If there was a method to use unauthenticated access to ChurchCRM that allowed insertion of arbitrary data values AND generate a CSV AND somehow send that somewhere then maybe I'd consider this a flaw in ChurchCRM. Maybe I'm missing something? |
I understand that this vulnerability would be much impactful if any unauthenticated user would be able to inject the payload resulting into code execution on the internal user's system. However this could also be impactful, if any internal user of the application enters the payload which results into impacting all the other user of the application. Here the payload is entered on ChurchCRM application leaving the application at fault to generate a file which can execute malicious commands on the user's system. A user may embed Dynamic Data Exchange (DDE) formulas to perform code execution, download a backdoor, open a malicious website etc.
https://owasp.org/www-community/attacks/CSV_Injection#:~:text=CSV%20Injection%2C%20also%20known%20as,the%20software%20as%20a%20formula. |
Feel free to create a PR. |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
This issue was closed because it has been stalled for 15 days with no activity. |
Vulnerability Name: CSV Injection/ Formula Injection
Severity: High
Description: CSV Injection (aka Excel Macro Injection or Formula Injection) exists in List Event Types feature in ChurchCRM v4.2.0 via Name field that is mistreated while exporting to a CSV file.
Impact: Arbitrary formulas can be injected into CSV files which can lead to remote code execution at the client or data leakage via maliciously injected hyper-links.
Version Affected: 4.2.0
Payload Used: =10+20+cmd|' /C calc'!A0
Vulnerable URL: master/EventNames.php
Vulnerable Parameters: Name
Steps to Reproduce:
Note: Incase the payload does not execute, then enable 'External Content' and 'Macro' settings in Excel. Goto Excel > File > Options > Trust Center > Trust Center Settings > Macro/External Content.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12134
http://cwe.mitre.org/data/definitions/1236.html
The text was updated successfully, but these errors were encountered: