[issue26399] CSV Injection Vulnerability
Acid
report at bugs.python.org
Sun Feb 21 05:54:16 EST 2016
New submission from Acid:
The "Download as CSV " feature of bugs.python.org does not properly "escape" fields. This allows an adversary to turn a field into active content so when we download the csv and opens it, the active content gets executed. Here is more information about this issue:
http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
Steps to Reproduce.
1. Enter the title with the payload : -2+3+cmd|' /C calc'!A0
2. Download the bugs as CSV
3. Open it with excel and Calc will get prompted.
Depending upon the system user privileges, an attacker can perform various tasks using the same.
If the user is with high privilege, it is easy to change the system password as mentioned below
-2+3+cmd|' /C net user administrator lol at 123'!A0
Mitigations:
Ensure all fields are properly "escaped" before returning the CSV file to the user.
Regards,
Acid
----------
title: -2+3+cmd|' /C calc'!A0 -> CSV Injection Vulnerability
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue26399>
_______________________________________
More information about the Python-bugs-list
mailing list