commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benedikt Ritter (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CSV-199) CSVFormat option to defend against CSV Excel Macro Injection (CEMI) attacks
Date Sun, 09 Oct 2016 11:31:20 GMT

    [ https://issues.apache.org/jira/browse/CSV-199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15559842#comment-15559842
] 

Benedikt Ritter commented on CSV-199:
-------------------------------------

I agree with [~ebourg]. This does not fit into Commons CSV.

> CSVFormat option to defend against CSV Excel Macro Injection (CEMI) attacks
> ---------------------------------------------------------------------------
>
>                 Key: CSV-199
>                 URL: https://issues.apache.org/jira/browse/CSV-199
>             Project: Commons CSV
>          Issue Type: New Feature
>          Components: Printer
>    Affects Versions: 1.4
>            Reporter: Phil Varner
>             Fix For: Discussion
>
>
> A common use for Commons CSV is to export user-generated data for analysis in spreadsheet
software like Excel.  One attack against this usage is for a user to create data that appears
as a formula to Excel, such that excel executes it.  For example, a simple non-malicious example
of this is a u CSV file like:
> {code}
> Name,Email,Favorite Color
> Aaron Aaronson,aa@example.com,=1+1
> {code}
> When opened, Excel will execute the macro and display "2".  A malicious example could,
for example, use "=cmd|' /C calc'!A0", causing a command prompt to be opened. 
> This can be exploited with values starting with =, +, -, or .
> This feature would add a flag to CSVFormat called "escapeFormulas" that would defend
against creating vulnerable CSV files like this by prepending a single-quote to any CSV column
value starting with the four aforementioned characters.  Also added would be a predefined
format EXCEL_WITHOUT_FORMULAS that could be used for safely exporting data that was not intended
to contain formulas. 
> I believe it is important to add this as a feature to CSVFormat rather than relying on
users to manually escape formulas because many users do not know about this security vulnerability,
but would prefer to defend against it if aware. 
> More information:
> https://www.owasp.org/index.php/CSV_Excel_Macro_Injection
> https://hackerone.com/reports/72785
> http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message