Closed Bug 1263581 Opened 10 years ago Closed 10 years ago

CSV injection (Bypassed Bug 1054702)

Categories

(Bugzilla :: Query/Bug List, defect)

Product:
Bugzilla
Component:
Query/Bug List
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1259881

People

(Reporter: p4r3sh.p4rm4r, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 Steps to reproduce: Hi, Recently You Fixed this bug https://bugzilla.mozilla.org/show_bug.cgi?id=1054702 , I am able to Bypass this using NEWLine CHAR 0x0A. As describe in that report , /buglist.cgi allow to download CSV files. So create New report as %0A-2+3+cmd|' /C calc'!D2 and submit it now search your report and export as CSV , I tried this on EXCEL 2007 and 2013 and it works in both of them. Actual results: after doing some research regarding the NewLine (0x0A) character in CSV raws , I have found that this issue is quite common. This issue varies based on the encoding , in my machine (Windows 8 ) Excel uses Unicode encoding to view the file , that's why it treats the NewLine character as a new raw and so the payload after =,- or + gets executed. This problem will reproduce for users that have excel using unicode encoding. Here are some articles I think you should read to identify the problem: http://stackoverflow.com/questions/1241220/generating-csv-file-for-excel-how-to-have-a-newline-inside-a-value http://stackoverflow.com/questions/2668678/importing-csv-with-line-breaks-in-excel-2007 Expected results: Mitigation of this issue is simple: do not add NewLine (0x0A) characters in the title of the report in the exported CSV file. Regards
Component: General → Query/Bug List
OS: Unspecified → All
Product: Marketplace → Bugzilla
Hardware: Unspecified → All
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
QA Contact: default-qa
Resolution: --- → DUPLICATE
hi this bug #1259881 and #1054702 Is the same issue ! (both are using same payload ("-2+3+cmd|' /C calc'!A0") i tested #1259881 and UNABLE TO REPRODUCE that using "-2+3+cmd|' /C calc'!A0" . so i tried with %0A-2+3+cmd|' /C calc'!D2 and its working with new Line unicode charcter ! can you please take a look again ! Thanks
(In reply to Paresh from comment #2) > so i tried with %0A-2+3+cmd|' /C calc'!D2 and its working with new Line > unicode charcter ! Please comment in the other bug to keep the discussion in one single bug. This is easier.
You need to log in before you can comment on or make changes to this bug.