Closed
Bug 1054702
Opened 10 years ago
Closed 10 years ago
CSV export vulnerable to formulae injection
Categories
(Bugzilla :: Query/Bug List, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 4.0
People
(Reporter: albinowax, Assigned: mail)
References
Details
(Keywords: reporter-external, sec-vector, Whiteboard: [reporter-external])
Attachments
(1 file, 1 obsolete file)
|
1.38 KB,
patch
|
glob
:
review+
|
Details | Diff | Splinter Review |
buglist.cgi lets users export lists of bugs as CSVs, to be opened in desktop spreadsheet software. Any fields starting with '=' will be interpreted by the opening software as formulas, which are effectively active content. Formulas can used for a variety of attacks on users' computers including exfiltrating the CSV contents, exploiting the users' trust in the originating site to compromise their computer via DDE (Microsoft Excel), or using an exploit like CVE-2014-3524 (currently unfixed and non-public, affecting libreoffice&openoffice) to execute code with no user interaction. This issue could be resolved by prefixing all cells that start with an = with a single quote.
|
Assignee | |
Updated•10 years ago
|
Assignee: import-export → query-and-buglist
Component: Bug Import/Export & Moving → Query/Bug List
Flags: sec-bounty?
|
|
Assignee | |
Comment 1•10 years ago
|
||
I've confirmed this with the latest version of LibreOffice in Fedora 20. If no one picks it up today, I'll work on it tomorrow.
|
|
Assignee | |
Updated•10 years ago
|
Assignee: query-and-buglist → sgreen
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 2•10 years ago
|
||
Thankfully everything that could possibly generate a string in CSV goes through the CSV filter. I also made a change to address an issue when both the row description and column description starts with a quote (although that is very unlikely to actually happen). Note: When I attempt to load the files in LibreOffice 4.2.6.2, it does show the leading single quote. A quick Internet search doesn't seem to show a way to not have the single quote. Still much better than importing a formula.
Attachment #8474286 -
Flags: review?(glob)
Comment on attachment 8474286 [details] [diff] [review] v1 patch Review of attachment 8474286 [details] [diff] [review]: ----------------------------------------------------------------- you're not actually escaping the =, instead you're inserting a character which makes it no longer recognisable as a formula (this is why it's visible in the spreadsheet). given that, i would prefer to see space used instead of a single quote. this works in excel; can you test in libre? ::: Bugzilla/Template.pm @@ +833,4 @@ > csv => sub > { > my ($var) = @_; > + $var = "'$var" if substr($var, 0, 1) eq '='; nit: |$var = "'" . $var if ..| will avoid the unnecessary string interpolation.
Attachment #8474286 -
Flags: review?(glob) → review-
|
|
||
Updated•10 years ago
|
Whiteboard: [reporter-external]
|
|
Assignee | |
Comment 5•10 years ago
|
||
LibreOffice (and thus I assume OOo) doesn't escape strings that start with space + equals. Also fixed the nit.
Attachment #8474286 -
Attachment is obsolete: true
Attachment #8474851 -
Flags: review?(glob)
Comment on attachment 8474851 [details] [diff] [review] v2 patch Review of attachment 8474851 [details] [diff] [review]: ----------------------------------------------------------------- r=glob
Attachment #8474851 -
Flags: review?(glob) → review+
Flags: approval4.4+
Flags: approval4.2+
Flags: approval4.0+
Flags: approval+
Target Milestone: --- → Bugzilla 4.0
Version: unspecified → 3.6
|
|
||
Comment 7•10 years ago
|
||
Why is this bug tagged as a security bug? It's an issue in Excel/LibO/OO IMO, not a Bugzilla bug.
|
Reporter | |
Comment 8•10 years ago
|
||
The code execution vulnerabilities in OO/LibO aren't Bugzilla bugs, but the content exfiltration attack is just the spreadsheet version of XSS. XSS occurs when a website places untrusted active content in an origin with sensitive information, and formula injection occurs when a website places untrusted active content in a spreadsheet with sensitive information. It isn't Excel's fault for supporting formulas any more than XSS is web browsers' fault for supporting javascript. I've made a more detailed post on the techniques at http://contextis.co.uk/resources/blog/comma-separated-vulnerabilities/
|
||
Comment 9•10 years ago
|
||
(In reply to Frédéric Buclin from comment #7) > Why is this bug tagged as a security bug? It's an issue in Excel/LibO/OO > IMO, not a Bugzilla bug. It doesn't matter whose bug it is, bugzilla is used by folks in environments with those very common programs and the combination can result in harm. That makes it a security bug.
|
|
||
Comment 10•10 years ago
|
||
The IRC sentiment seemed to be that this doesn't need a CVE because it's not a bugzilla bug per se (we're just trying to help out), and the spreadsheet programs already have a CVE for the problem on their end. If you end up wanting a CVE after all please needinfo? me or find me on IRC
Keywords: sec-vector
|
|
||
Comment 11•10 years ago
|
||
CSV reports have been implemented in 2.17.1, see bug 12282.
Version: 3.6 → 2.17.1
|
||
Comment 12•10 years ago
|
||
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 19576a8..75f12db 4.0 -> 4.0 To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 976dc12..0ec036b 4.2 -> 4.2 To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git a92eee1..b578b2a 4.4 -> 4.4 To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git fa954ab..10e40c5 master -> master
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
|
||
Updated•10 years ago
|
Group: bugzilla-security
|
|
||
Updated•10 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•1 month ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•