CSV Injection

[minhquan202]

Description:

CSV Injection on the lis api:

• /engagement/{id}/edit -> param: name
• /product/{id}/new_engagement -> param: name
• /product/{id}/ad_hoc_finding -> param: name
• /finding/{id}/edit -> param: title
• /finding/{id}/edit -> param: component_name
• /product/type/add -> param: name
• /product/type/{id}/edit -> param: name

of Defectdojo version 2.37.3 (https://github.com/DefectDojo/django-DefectDojo) allow remote attackers to insert malicious code. When user execute export product with type csv. When executed open file immediately malicious code is executed.

Proof of Concept:

1. Add or edit the above API list with malicious script tags at Param malicious.
2. Export type csv corresponding to the api
3. Open the csv file that was just downloaded. The malicious code is immediately executed.

Impact:

Execution of Malicious Code

[manuel-sommer]

Maybe I understand this wrong, but isn't this rather a problem within the csv editor you use?

[manuel-sommer]

What is your opinion @mtesauro ?

[minhquan202]

Maybe I understand this wrong, but isn't this rather a problem within the csv editor you use?

no bro. anyone can do this. this is a vulnerability. you can refer to CWE-1236 which has a description of this

[mtesauro]

@minhquan202 First, as someone reporting security issues to any software producer, please look for and honor the requested reporting process. DefectDojo's is on the repo's main README.md file under the title of "Security" and points to our disclosure policy at https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/SECURITY.md. From looking at Hackerone, someone with a similar username submitted there as well but, if that was you, the Hackerone submission should have been the only one. In this case, there's no issue for the DefectDojo community but we have the bug bounty in place with Hakerone to allow the larger DefectDojo community to get a needed fix quickly and ideally before the issue is disclosed publicly.

As for this specific issue, I'm sorry but this is not an issue for DefectDojo to fix. This is an issue with the program which takes in a CSV as input data and executes it instead.

I'd not blame the attacker nor ask them to fix a XSS or SQL-i by only sending data which DefectDojo can safely process - why should DefectDojo be expected to alter it's output to accommodate downstream applications which fail to validly treat data as data and instead execute it.

The earliest example of this I can find is from 2017 and located at https://georgemauer.net/2017/10/07/csv-injection.html which was a reference from OWASP's page on CSV Injection. Ironically, the CWE you reference links to that OWASP page.

[minhquan202]

what is program which take CSV? and So I want to know, when this vulnerability will be fixed.

[mtesauro]

The program which takes the CSV is whatever program a person wants to use - MS Excel, LibreOffice Calc, Google Spreadsheets, Apple Numbers - any program which reads in CSV data and treats it like code would need to fix this issue.

Are you going to submit a similar issue for Vim? Vim can create CSVs like you reference above but I won't expect it to have anything to do with how another program uses the data Vim created. What about Notepad, VS Code, nano, any text editor?

DefectDojo does not consider this an issue it has any ability to fix as it has no control how various spreadsheet apps read in and handle CSV data. DefectDojo will not be doing any code changes in how it creates CSVs as this represents a vulnerability in other software not DefectDojo.

Please consider filing issues with the various spreadsheet software I've listed above and any others you might know of - that's how what you put here will get fixed.

[minhquan202]

No bro, I think you are misunderstanding the issue here. The problem is that any user exporting information as CSV and opening it will execute the malicious code, regardless of the software used. This is a vulnerability that attackers exploit through commands allowed in the CSV file to execute malicious code. The fault does not lie with software like MS Excel, LibreOffice Calc, etc., but rather with your own website. This happens because the website does not handle the attacker's input correctly during the CSV file export process. Any web application exporting files of type CSV must validate the special characters in the data, such as '=', '+', '@', and '-'. They usually validate by adding a single quote (') or double quote (") before the special characters so that when the CSV file is opened, the malicious commands injected into the columns will not execute and will be interpreted as a string instead. Please refer to some of the following reports to see how they fix these errors.: https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-010