Ian Dunn: CSV Injection at Camptix Event Ticketing

2016-07-15T14:13:39
ID H1:151516
Type hackerone
Reporter thezawad
Modified 2016-08-18T16:38:38

Description

Hi, As you mentioned the scope of vulnerability as >Any plugin listed on my WordPress.org profile. I am reporting this issue.

I have seen from your WordPress.org profile the second plugin listed is Camptix Event Ticketing So I looked at the source code of the plugin (https://github.com/Automattic/camptix) Although I don't have much knowledge about wordpress plugin development what I understood that you have good filtering for XSS (html tags) when submitting user data (in ticket form) But no filtering to filter out CSV macros (starts with =) So I installed it in my WP and checked out it with a very simple ticketing with only Firstname ,Lastname and Email

Reproduction of Bug 1. From any open to buy ticket sign up for one. 2. In the First name , Last name field type =AND(2>1) and =7*7 respectively. 3. Save them. 4. Now from admin panel export the attendees information as CSV. Open the CSV with any application (eg. Excel) and you'll see the First name and Last name field executes the command. This can be further used to perform command execution on Windows system (high risk) See this Since the bug could be exploited by random user and the victim is admin, I think it should be patched.

The Fix could be simple. Just escape = and - + signs from user input. this will solve the issue I guess.

Hope you resolve and reward.


Zawad