Closed Bug 1054702 Opened 6 years ago Closed 6 years ago

CSV export vulnerable to formulae injection


(Bugzilla :: Query/Bug List, defect)

Not set



Bugzilla 4.0


(Reporter: albinowax, Assigned: mail)



(Keywords: sec-vector, Whiteboard: [reporter-external])


(1 file, 1 obsolete file)

buglist.cgi lets users export lists of bugs as CSVs, to be opened in desktop spreadsheet software. Any fields starting with '=' will be interpreted by the opening software as formulas, which are effectively active content. 

Formulas can used for a variety of attacks on users' computers including exfiltrating the CSV contents, exploiting the users' trust in the originating site to compromise their computer via DDE (Microsoft Excel), or using an exploit like CVE-2014-3524 (currently unfixed and non-public, affecting libreoffice&openoffice) to execute code with no user interaction.

This issue could be resolved by prefixing all cells that start with an = with a single quote.
Assignee: import-export → query-and-buglist
Component: Bug Import/Export & Moving → Query/Bug List
Flags: sec-bounty?
I've confirmed this with the latest version of LibreOffice in Fedora 20. If no one picks it up today, I'll work on it tomorrow.
Assignee: query-and-buglist → sgreen
Attached patch v1 patch (obsolete) — Splinter Review
Thankfully everything that could possibly generate a string in CSV goes through the CSV filter. I also made a change to address an issue when both the row description and column description starts with a quote (although that is very unlikely to actually happen).

Note: When I attempt to load the files in LibreOffice, it does show the leading single quote. A quick Internet search doesn't seem to show a way to not have the single quote. Still much better than importing a formula.
Attachment #8474286 - Flags: review?(glob)
Comment on attachment 8474286 [details] [diff] [review]
v1 patch

Review of attachment 8474286 [details] [diff] [review]:

you're not actually escaping the =, instead you're inserting a character which makes it no longer recognisable as a formula (this is why it's visible in the spreadsheet).

given that, i would prefer to see space used instead of a single quote.

this works in excel; can you test in libre?

::: Bugzilla/
@@ +833,4 @@
>              csv => sub
>              {
>                  my ($var) = @_;
> +                $var = "'$var" if substr($var, 0, 1) eq '=';

nit: |$var = "'" . $var if ..| will avoid the unnecessary string interpolation.
Attachment #8474286 - Flags: review?(glob) → review-
Whiteboard: [reporter-external]
Attached patch v2 patchSplinter Review
LibreOffice (and thus I assume OOo) doesn't escape strings that start with space + equals. Also fixed the nit.
Attachment #8474286 - Attachment is obsolete: true
Attachment #8474851 - Flags: review?(glob)
Comment on attachment 8474851 [details] [diff] [review]
v2 patch

Review of attachment 8474851 [details] [diff] [review]:

Attachment #8474851 - Flags: review?(glob) → review+
Flags: approval4.4+
Flags: approval4.2+
Flags: approval4.0+
Flags: approval+
Target Milestone: --- → Bugzilla 4.0
Version: unspecified → 3.6
Blocks: 1072497
Why is this bug tagged as a security bug? It's an issue in Excel/LibO/OO IMO, not a Bugzilla bug.
The code execution vulnerabilities in OO/LibO aren't Bugzilla bugs, but the content exfiltration attack is just the spreadsheet version of XSS. XSS occurs when a website places untrusted active content in an origin with sensitive information, and formula injection occurs when a website places untrusted active content in a spreadsheet with sensitive information. It isn't Excel's fault for supporting formulas any more than XSS is web browsers' fault for supporting javascript.

I've made a more detailed post on the techniques at
(In reply to Frédéric Buclin from comment #7)
> Why is this bug tagged as a security bug? It's an issue in Excel/LibO/OO
> IMO, not a Bugzilla bug.

It doesn't matter whose bug it is, bugzilla is used by folks in environments with those very common programs and the combination can result in harm. That makes it a security bug.
The IRC sentiment seemed to be that this doesn't need a CVE because it's not a bugzilla bug per se (we're just trying to help out), and the spreadsheet programs already have a CVE for the problem on their end. If you end up wanting a CVE after all please needinfo? me or find me on IRC
Keywords: sec-vector
CSV reports have been implemented in 2.17.1, see bug 12282.
Version: 3.6 → 2.17.1
To ssh://
   19576a8..75f12db  4.0 -> 4.0

To ssh://
   976dc12..0ec036b  4.2 -> 4.2

To ssh://
   a92eee1..b578b2a  4.4 -> 4.4

To ssh://
   fa954ab..10e40c5  master -> master
Closed: 6 years ago
Resolution: --- → FIXED
Group: bugzilla-security
Flags: sec-bounty? → sec-bounty+
See Also: → 1259881
You need to log in before you can comment on or make changes to this bug.