Comma Separated Vulnerability (CSV)

Comma Separated Vulnerability (CSV) or in my own words client side command injection. Is an attack technique, where attacker exploit “Download as a CSV” functionality in web applications, and execute any system commands in victim’s system.

Today’s modern web applications offers multiple options for bulk import/export of data like Comma-Separated Text, Microsoft Excel, XML, Tab-Separated Text, FileMaker Pro, HTML Table . This exploit comes into picture when application support CSV file export without having proper sanitization in place. CSV is a simple file format used to store tabular data, such as a spreadsheet or database. Files in the CSV format can be imported to and exported from programs that store data in tables, such as Microsoft Excel or OpenOffice Calc. Usually the resulting spreadsheet or database cell often contain input from untrusted sources such as customer feedback, contact addresses, comments.

When any cells in the spreadsheet starts with the ‘=’ character will be interpreted as formulae, hence malicious input from untrusted source became risky. E.g. organization allow admin to export the contact address of customers who shows interest for their product and share their address for future communication. In this scenario, if a malicious customer post their contact address as following:

=cmd|' /C shutdown –s –f'!A0

When the administrator will download, and open the recent spreadsheet it will show the below messages, this pop message is displayed by Microsoft Office as something is fishy. But usually this kind of pop message appears when you open micro enabled excel as well. So, in this case if the admin will just ignore these messages and press Enable and Yes to proceed, then the file will get open and the above command will get executed, which will shut down the system, instead system shut down attacker can execute any command of his choice (delete files, format drive, create user, etc.).