CSV Injection while export users in thorsten/phpmyfaq
Reported on
Jun 30th 2023
1 admin add a user, or a user signup.
2 the user logins and edit himeself
3 the user change his realname as "=1+cmd|'/C calc'!A0"
4 admin go to export the users as a csv file
5 admin open the csv and we can see that the calculator is opened.
see https://owasp.org/www-community/attacks/CSV_Injection to fix it.
Impact
Hijacking the user’s computer
Exfiltrating contents from the spreadsheet, or other open spreadsheets.
Exporting Comments is also vulnerabe.
Additional fix: https://github.com/thorsten/phpMyFAQ/commit/e16daf99c28b47a205f74004681f3e2e6a842723