Submission + - The Absurdly Underestimated Dangers of CSV Injection (georgemauer.net)
iONiUM writes: From the article:
"In some ways this is old news, but in other wayswell, I think few realize how absolutely devastating and omnipresent this vulnerability can be. It is an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV.
That is just about every application."
The article demonstrates 2 very easy ways to run code through CSV files, both within Excel and Google Sheets as well as illustrate a prevention technique:
"And just like that, the attacker has free reign to download a keylogger, install things, and overall remotely execute code not merely on any other person’s computer, but on that of someone guaranteed to have access to all user’s data; for example a manager or a company adminstrator. I wonder what other sort of files they might have lying around?"
"In some ways this is old news, but in other wayswell, I think few realize how absolutely devastating and omnipresent this vulnerability can be. It is an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV.
That is just about every application."
The article demonstrates 2 very easy ways to run code through CSV files, both within Excel and Google Sheets as well as illustrate a prevention technique:
"And just like that, the attacker has free reign to download a keylogger, install things, and overall remotely execute code not merely on any other person’s computer, but on that of someone guaranteed to have access to all user’s data; for example a manager or a company adminstrator. I wonder what other sort of files they might have lying around?"