CSV Injection while export users in fossbilling/fossbilling

Valid

Reported on

Jun 30th 2023

1 admin add a client, or a client signup.

2 the client logins and edit himeself

3 the client change his COMPANY as "=1+cmd|'/C calc'!A0"

4 admin go to export the client as a csv file

5 admin open the csv and we can see that the calculator is opened.

see https://owasp.org/www-community/attacks/CSV_Injection to fix it

Impact

Hijacking the user’s computer

Exfiltrating contents from the spreadsheet, or other open spreadsheets.

Exporting Comments is also vulnerabe.

We are processing your report and will contact the fossbilling team within 24 hours. 3 months ago

Belle Aerni modified the Severity from Medium (6.8) to Medium (6.4) 3 months ago

Belle Aerni modified the Severity from Medium (6.4) to High (7.7) 3 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Belle Aerni validated this vulnerability 3 months ago

Thanks, this pull requests resolves this by escaping any formulas when exporting a CSV: https://github.com/FOSSBilling/FOSSBilling/pull/1391

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Belle Aerni marked this as fixed in 0.5.3 with commit 9402d6 3 months ago

Belle Aerni has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jul 1st 2023

Belle Aerni published this vulnerability 3 months ago

to join this conversation