Shopify: Injection via CSV Export feature in Admin Orders

2016-02-23T08:05:15
ID H1:118103
Type hackerone
Reporter wakadotz
Modified 2016-03-12T12:39:59

Description

i found out that the filtering of "=,-,+" is not working in all data. there's a way to bypass it.

  1. Create a product with title =cmd|' /C calc'!'D2'
  2. Add variants (more than 2 variants) then save it.
  3. Go to Orders > Create Order
  4. search the product we made =cmd|' /C calc'!'D2'
  5. Add 2 variants from same item
  6. Mark as paid
  7. Create Order
  8. Go Back to order page > Export > Open in excel

you will see that the first variant is successfully filtered the "=" but the next variant is not filtered anymore.