Consensys: CSV Injection at https://assets-paris-demo.codefi.network/

2022-10-2508:59:53

doosec101

hackerone.com

$500

consensys

csv injection

formula injection

client management

excel

libreoffice calc

hijacking

vulnerabilities

security warnings

spreadsheets

payload

malicious script

token note

csv file

bug bounty

0.006 Low

EPSS

Percentile

78.6%

JSON

Summary:

Hi consensys Security Team.

I have found CSV Injection when generate report at https://assets-paris-demo.codefi.network/

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.
When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with = will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:

- Hijacking the user’s computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524.
- Hijacking the user’s computer by exploiting the user’s tendency to ignore security warnings in spreadsheets that they downloaded from their own website.
- Exfiltrating contents from the spreadsheet, or other open spreadsheets.

Steps To Reproduce:

Create an account at https://assets-paris-demo.codefi.network/
Go to Client management
Create new client
At Client name* Put this paylaod:- =cmd|' /C notepad'!'A1'
After create new client Download the data.

Supporting Material/References:

{F2002581}

##Similar valid reports at hackerone:-

Please let me know if need more info.
Best Regards.
@doosec101

Impact

This vulnerability can be harm for normal user because if malicious user injected any malicious script in token note and when customer user download CSV file then inserted command directly runs when CSV file open.

##FIX:-
Prefix =, +, - and @ symbols with a ’ in issues when exporting them to a .csv file.