commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Phil Varner (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CSV-199) CSVFormat option to defend against CSV Excel Macro Injection (CEMI) attacks
Date Fri, 07 Oct 2016 00:33:20 GMT

    [ https://issues.apache.org/jira/browse/CSV-199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15553687#comment-15553687
] 

Phil Varner commented on CSV-199:
---------------------------------

Also, I've already written code that modifies CSVFormat to add this feature, and would like
feedback as to whether it's an appropriate feature to add and, if so, to where I should submit
the patch.

> CSVFormat option to defend against CSV Excel Macro Injection (CEMI) attacks
> ---------------------------------------------------------------------------
>
>                 Key: CSV-199
>                 URL: https://issues.apache.org/jira/browse/CSV-199
>             Project: Commons CSV
>          Issue Type: New Feature
>          Components: Printer
>    Affects Versions: 1.4
>            Reporter: Phil Varner
>
> A common use for Commons CSV is to export user-generated data for analysis in spreadsheet
software like Excel.  One attack against this usage is for a user to create data that appears
as a formula to Excel, such that excel executes it.  For example, a simple non-malicious example
of this is a u CSV file like:
> {code}
> Name,Email,Favorite Color
> Aaron Aaronson,aa@example.com,=1+1
> {code}
> When opened, Excel will execute the macro and display "2".  A malicious example could,
for example, use "=cmd|' /C calc'!A0", causing a command prompt to be opened. 
> This can be exploited with values starting with =, +, -, or .
> This feature would add a flag to CSVFormat called "escapeFormulas" that would defend
against creating vulnerable CSV files like this by prepending a single-quote to any CSV column
value starting with the four aforementioned characters.  Also added would be a predefined
format EXCEL_WITHOUT_FORMULAS that could be used for safely exporting data that was not intended
to contain formulas. 
> I believe it is important to add this as a feature to CSVFormat rather than relying on
users to manually escape formulas because many users do not know about this security vulnerability,
but would prefer to defend against it if aware. 
> More information:
> https://www.owasp.org/index.php/CSV_Excel_Macro_Injection
> https://hackerone.com/reports/72785
> http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message