CSV Injection in CSV files generated by the backend in alfio-event/alf.io
Mar 6th 2023
1 First the admin create the event and publish it.
2 unauthenticated users go to the reservation page
3 unauthenticated users fill the fisrst name and last name as "=1+cmd|'/C calc'!A0"
4 admin download all the attendees' data as csv.
5 admin open the csv file and the calculator is opened.
see the poc : https://1drv.ms/v/s!AksJ421iyCG-mTBW7PhxTaDJGlbk?e=LudXWX
see https://owasp.org/www-community/attacks/CSV_Injection to fix it.
Hijacking the user’s computer
Exfiltrating contents from the spreadsheet, or other open spreadsheets.
hi @lujiefsi, nice finding!
I've created a PR https://github.com/alfio-event/alf.io/pull/1200 , this will go in a M4 release.
To be noted, I don't have excel, I've tested it with libreoffice, so YMMV.