Closed Bug 1223168 Opened 9 years ago Closed 9 years ago

Command Injection using CSV export

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: shahmeerbond, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36 OPR/33.0.1990.58

Steps to reproduce:

Hello there Mozilla team
This is Shahmeer and i would like to report a command injection vulnerability in the thunderbird CSV export feature described in 

As a malicious user, I can add the following payload to an email field in the CSV "=1+1"



Actual results:

As a legitimate user, when one downloads CSV file containing the payload
He now open this CSV file in excel or another spreadsheet program
You can see the cell containing the Note field in is displayed as "2" which means the code is executed.


Expected results:

The CSV should have been filtered, This import can cause Remote command injection using thunderbird
CSV is a data format that contain arbitrary strings. That's not unexpected or a problem. If Excel is executing imported CSV as formulas, that might be an issue for Excel.
Group: mail-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.