Ian Dunn: CSV Injection in Camptix

ID H1:164674
Type hackerone
Reporter grande
Modified 2016-10-12T07:49:59


Hello, Ian!

I see you tried to escape "=, -, +, @" in your code (#151516), but let me show simple workaround.

I've made CSV injection by using this string ";=cmd|' /C calc'!A5" without doublequotes.

";" will bypass your trying to set the quote in the beginning of the string.

";" acts as a new cell separator.

Tested in the Excel 2016