Count per Day Wordpress Plugin : CSV Injection

PUBLISHED ON MAY 16, 2016 — SECURITY

CSV injections are not very famous but can be dangerous for the user who reads the file because, as the OWASP said : “The user assumes that it is only a csv file and that it won’t contain functions or macro’s and won’t care about any warnings from Excel about potential malicious functionality in the file.” (https://www.owasp.org/index.php/CSV_Excel_Macro_Injection).

I love WordPress and my favorite game is to research vulnerabilities on its plugins. Count per Day is my last victim and I will explain what I found.

Context

Count per Day is a WordPress Plugin that allows to have a simple view of your audience. Be able to see which content is the most popular, how many visitors came, etc …

On the dashboard, there is little functionality that allows you to download a report with all these informations into a CSV file.

Exploit

It’s very easy to exploit this vulnerability, go on a page of the website and, with BurpSuite for example, change the referer to =3*3.

Changing the referer with BurpSuite

This should insert a row into the database and, if the administrator export results to CSV and open it, the field should be equal to 9 :

CSV file after injection

Now, you probably think : “And so what ? It’s not very dangerous …”. Let me say you’re wrong ! To understand, just read this post : http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/.

Protection

So, how to protect your file against this kind of injection ? Just add a single quote before the string if the first character is :

  • Equal (=)
  • Plus (+)
  • Minus (-)
  • At (@)

With that, Excel or LibreOffice will not execute the content the cell.

UPDATE :

This vulnerability has been patched in the version 3.5.5.