Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSV Injection Vulnerability #70587

Closed
Acid mannequin opened this issue Feb 21, 2016 · 4 comments
Closed

CSV Injection Vulnerability #70587

Acid mannequin opened this issue Feb 21, 2016 · 4 comments

Comments

@Acid
Copy link
Mannequin

Acid mannequin commented Feb 21, 2016

BPO 26399
Nosy @brettcannon, @soltysh

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2016-02-23.10:21:39.989>
created_at = <Date 2016-02-21.10:45:20.453>
labels = []
title = 'CSV Injection Vulnerability'
updated_at = <Date 2016-02-23.10:21:39.987>
user = 'https://bugs.python.org/Acid'

bugs.python.org fields:

activity = <Date 2016-02-23.10:21:39.987>
actor = 'maciej.szulik'
assignee = 'none'
closed = True
closed_date = <Date 2016-02-23.10:21:39.989>
closer = 'maciej.szulik'
components = []
creation = <Date 2016-02-21.10:45:20.453>
creator = 'Acid'
dependencies = []
files = []
hgrepos = []
issue_num = 26399
keywords = []
message_count = 4.0
messages = ['260602', '260603', '260624', '260724']
nosy_count = 3.0
nosy_names = ['brett.cannon', 'maciej.szulik', 'Acid']
pr_nums = []
priority = 'normal'
resolution = 'wont fix'
stage = None
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue26399'
versions = []
@Acid Acid mannequin changed the title -2+1 -2+3+cmd|' /C calc'!A0 Feb 21, 2016
@Acid
Copy link
Mannequin Author

Acid mannequin commented Feb 21, 2016

The "Download as CSV " feature of bugs.python.org does not properly "escape" fields. This allows an adversary to turn a field into active content so when we download the csv and opens it, the active content gets executed. Here is more information about this issue:
http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/

Steps to Reproduce.

  1. Enter the title with the payload : -2+3+cmd|' /C calc'!A0
  2. Download the bugs as CSV
  3. Open it with excel and Calc will get prompted.

Depending upon the system user privileges, an attacker can perform various tasks using the same.
If the user is with high privilege, it is easy to change the system password as mentioned below
-2+3+cmd|' /C net user administrator lol@123'!A0

Mitigations:
Ensure all fields are properly "escaped" before returning the CSV file to the user.

Regards,
Acid

@Acid Acid mannequin changed the title -2+3+cmd|' /C calc'!A0 CSV Injection Vulnerability Feb 21, 2016
@Acid
Copy link
Mannequin Author

Acid mannequin commented Feb 21, 2016

Impact of this one is high, as download as CSV is present for guest user as well. Means anyone can download the bugs using "Download as CSV " function and as the file is downloaded from the trusted resource so the possibility is high the code will get executed.

@brettcannon
Copy link
Member

Tracker bugs should be reported to http://psf.upfronthosting.co.za/roundup/meta/ .

@soltysh
Copy link

soltysh commented Feb 23, 2016

Closing in favor of http://psf.upfronthosting.co.za/roundup/meta/issue580

@soltysh soltysh closed this as completed Feb 23, 2016
@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brettcannon @soltysh