CSV injections are not very famous but can be dangerous for the user who reads the file because, as the OWASP said : “The user assumes that it is only a csv file and that it won’t contain functions or macro’s and won’t care about any warnings from Excel about potential malicious functionality in the file.” (https://www.owasp.org/index.php/CSV_Excel_Macro_Injection).
I love WordPress and my favorite game is to research vulnerabilities on its plugins. Count per Day is my last victim and I will explain what I found.
Count per Day is a WordPress Plugin that allows to have a simple view of your audience. Be able to see which content is the most popular, how many visitors came, etc …
On the dashboard, there is little functionality that allows you to download a report with all these informations into a CSV file.
It’s very easy to exploit this vulnerability, go on a page of the website and, with BurpSuite for example, change the referer to =3*3.
This should insert a row into the database and, if the administrator export results to CSV and open it, the field should be equal to 9 :
Now, you probably think : “And so what ? It’s not very dangerous …”. Let me say you’re wrong ! To understand, just read this post : http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/.
So, how to protect your file against this kind of injection ? Just add a single quote before the string if the first character is :
With that, Excel or LibreOffice will not execute the content the cell.
This vulnerability has been patched in the version 3.5.5.