Issue 26399: CSV Injection Vulnerability (original) (raw)

Issue26399

Created on 2016-02-21 10:45 by Acid, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (4)
msg260602 - (view)	Author: Acid (Acid)	Date: 2016-02-21 10:54
The "Download as CSV " feature of bugs.python.org does not properly "escape" fields. This allows an adversary to turn a field into active content so when we download the csv and opens it, the active content gets executed. Here is more information about this issue: http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/ Steps to Reproduce. 1. Enter the title with the payload : -2+3+cmd|' /C calc'!A0 2. Download the bugs as CSV 3. Open it with excel and Calc will get prompted. Depending upon the system user privileges, an attacker can perform various tasks using the same. If the user is with high privilege, it is easy to change the system password as mentioned below -2+3+cmd	' /C net user administrator lol@123'!A0 Mitigations: Ensure all fields are properly "escaped" before returning the CSV file to the user. Regards, Acid
msg260603 - (view)	Author: Acid (Acid)	Date: 2016-02-21 10:57
Impact of this one is high, as download as CSV is present for guest user as well. Means anyone can download the bugs using "Download as CSV " function and as the file is downloaded from the trusted resource so the possibility is high the code will get executed.
msg260624 - (view)	Author: Brett Cannon (brett.cannon) *	Date: 2016-02-21 17:43
Tracker bugs should be reported to http://psf.upfronthosting.co.za/roundup/meta/ .
msg260724 - (view)	Author: Maciej Szulik (maciej.szulik) *	Date: 2016-02-23 10:21
Closing in favor of http://psf.upfronthosting.co.za/roundup/meta/issue580