commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Phil Varner (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CSV-199) CSVFormat option to defend against CSV Excel Macro Injection (CEMI) attacks
Date Fri, 07 Oct 2016 00:31:20 GMT
Phil Varner created CSV-199:
-------------------------------

             Summary: CSVFormat option to defend against CSV Excel Macro Injection (CEMI)
attacks
                 Key: CSV-199
                 URL: https://issues.apache.org/jira/browse/CSV-199
             Project: Commons CSV
          Issue Type: New Feature
          Components: Printer
    Affects Versions: 1.4
            Reporter: Phil Varner


A common use for Commons CSV is to export user-generated data for analysis in spreadsheet
software like Excel.  One attack against this usage is for a user to create data that appears
as a formula to Excel, such that excel executes it.  For example, a simple non-malicious example
of this is a u CSV file like:

{code}
Name,Email,Favorite Color
Aaron Aaronson,aa@example.com,=1+1
{code}

When opened, Excel will execute the macro and display "2".  A malicious example could, for
example, use "=cmd|' /C calc'!A0", causing a command prompt to be opened. 

This can be exploited with values starting with =, +, -, or .

This feature would add a flag to CSVFormat called "escapeFormulas" that would defend against
creating vulnerable CSV files like this by prepending a single-quote to any CSV column value
starting with the four aforementioned characters.  Also added would be a predefined format
EXCEL_WITHOUT_FORMULAS that could be used for safely exporting data that was not intended
to contain formulas. 

I believe it is important to add this as a feature to CSVFormat rather than relying on users
to manually escape formulas because many users do not know about this security vulnerability,
but would prefer to defend against it if aware. 

More information:
https://www.owasp.org/index.php/CSV_Excel_Macro_Injection
https://hackerone.com/reports/72785
http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message