New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Connections 0.7.3.2 <= 9.6 CSV Injection #474
Comments
|
Spent the morning delving into this and investing solution implemented by other:
I liked the solution which did not try to hide the potential malicious activity, instead it informed the user. Commit ece2392 , not yet tested, should mitigate the issue. I'll work to test and push out the fix asap. Thanks for reporting! |
|
Hi @shazahm1 , Thanks for the response. Can you label it as bug ? |
|
I'll label it as an enhancement ... everything I've read digging into this today seems to indicate this is actually bug/security issue in spreadsheet apps that will not be fixed outside of some click thru warnings to the user. |
|
Oh, really just semantics any way since I'll be pushing a fix that contains a workaround to prevent this bug in spreadsheet apps. You have to admin, the "solutions" are just workarounds :) |
|
I know that it's the admin side. But it known as security issue https://auth0.com/docs/security/bulletins/2020-03-31_wpauth0 please check the link here they already marked it as Bug. Thanks |
|
I thank your for taking the time to leave a thorough report on how Connections could be utilized to exploit a security in spreadsheet apps! Have you had a moment to test the patch? I'm confident it will as I implemented a similar workaround as in use by other popular open source project. It would be great to have another verify before an update is released. If you do not have the time, I understand and again thank you for taking the time to let me know about this. |
|
Sure, I will test the patch tomorrow. |
|
This regex works good. |
|
Sorry, I forgot to followup. This was merged and released. thx! |
Description
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. Which lead to hijacking user’s computer by exploiting with untrusted input. In this plugin, all the input fields of connections_add are affected.
Affected Item
Affected Version
Tested With
Step to reproduce
@SUM(1+1)*cmd|' /C calc'!A0Export Allcn-export-all-MM-DD-YYYY.csvopen it withMicrosoft ExcelCMDExported CSV File
All fields are not checked because
getData()doesn't filter any of the fields.Connections/includes/export/class.csv-export-batch-all.php
Lines 758 to 788 in c69ea8d
Reference
Hopefully, it will fix soon, Let me know if you have any questions.
Thanks,
@rudSarkar
The text was updated successfully, but these errors were encountered: