[jira] [Commented] (CSV-199) CSVFormat option to defend against CSV Excel Macro Injection (CEMI) attacks

Thu, 06 Oct 2016 17:34:09 -0700 

    [ 
https://issues.apache.org/jira/browse/CSV-199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15553687#comment-15553687
 ] 

Phil Varner commented on CSV-199:
---------------------------------

Also, I've already written code that modifies CSVFormat to add this feature, 
and would like feedback as to whether it's an appropriate feature to add and, 
if so, to where I should submit the patch.

> CSVFormat option to defend against CSV Excel Macro Injection (CEMI) attacks
> ---------------------------------------------------------------------------
>
>                 Key: CSV-199
>                 URL: https://issues.apache.org/jira/browse/CSV-199
>             Project: Commons CSV
>          Issue Type: New Feature
>          Components: Printer
>    Affects Versions: 1.4
>            Reporter: Phil Varner
>
> A common use for Commons CSV is to export user-generated data for analysis in 
> spreadsheet software like Excel.  One attack against this usage is for a user 
> to create data that appears as a formula to Excel, such that excel executes 
> it.  For example, a simple non-malicious example of this is a u CSV file like:
> {code}
> Name,Email,Favorite Color
> Aaron Aaronson,[email protected],=1+1
> {code}
> When opened, Excel will execute the macro and display "2".  A malicious 
> example could, for example, use "=cmd|' /C calc'!A0", causing a command 
> prompt to be opened. 
> This can be exploited with values starting with =, +, -, or .
> This feature would add a flag to CSVFormat called "escapeFormulas" that would 
> defend against creating vulnerable CSV files like this by prepending a 
> single-quote to any CSV column value starting with the four aforementioned 
> characters.  Also added would be a predefined format EXCEL_WITHOUT_FORMULAS 
> that could be used for safely exporting data that was not intended to contain 
> formulas. 
> I believe it is important to add this as a feature to CSVFormat rather than 
> relying on users to manually escape formulas because many users do not know 
> about this security vulnerability, but would prefer to defend against it if 
> aware. 
> More information:
> https://www.owasp.org/index.php/CSV_Excel_Macro_Injection
> https://hackerone.com/reports/72785
> http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to