CSV Injection while export users in thorsten/phpmyfaq

Valid

Reported on

Jun 30th 2023

1 admin add a user, or a user signup.

2 the user logins and edit himeself

3 the user change his realname as "=1+cmd|'/C calc'!A0"

4 admin go to export the users as a csv file

5 admin open the csv and we can see that the calculator is opened.

see https://owasp.org/www-community/attacks/CSV_Injection to fix it.

Impact

Hijacking the user’s computer

Exfiltrating contents from the spreadsheet, or other open spreadsheets.

Exporting Comments is also vulnerabe.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 3 months ago

We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 3 months ago

Thorsten Rinne validated this vulnerability 3 months ago

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne marked this as fixed in 3.1.16 with commit 03946e 3 months ago

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jul 31st 2023

commented 3 months ago

Maintainer

Additional fix: https://github.com/thorsten/phpMyFAQ/commit/e16daf99c28b47a205f74004681f3e2e6a842723

Thorsten Rinne published this vulnerability 2 months ago

to join this conversation