Closed Bug 1279878 Opened 8 years ago Closed 8 years ago

CSV injection

Categories

(bugzilla.mozilla.org :: General, defect)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: anasroubi, Assigned: dkl)

Details

Attachments

(1 file)

1279878_1.patch
1.09 KB, patch
dylan
: review+
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160414065514

Steps to reproduce:

Make a new bug with the name [-2+3+cmd|' /C calc'!G2] (with out the squawker brackets ) the go to the  report and export it as CSV 
Open the CSV in Excel.
A warning will show up warning the user to disable execution unless he trusts the source of the file. The user may likely leave execution enable due to trusting the source. Click "enable".
A second warning will appear that states a similar message as the previous one ("only open if you trust the source..."). Click "yes"
The malicious code is executed - in this case it will just open the "calc" application. (Screenshot attached).


Actual results:

The -2+3+cmd|' /C calc'!G2 have made a commend in thw windows cmd


Expected results:

The -2+3+cmd|' /C calc'!G2 have made a commend in thw windows cmd
Group: firefox-core-security → bugzilla-security
Component: Untriaged → General
Flags: needinfo?(dylan)
Flags: needinfo?(dkl)
Product: Firefox → bugzilla.mozilla.org
Version: 45 Branch → Production
Already fixed.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Re-opening because a bmo bug cannot be resolved duplicate of a bugzilla bug without any indication of if the change in question is resolved in bmo's codebase
Status: RESOLVED → REOPENED
Ever confirmed: true
Flags: needinfo?(dylan)
Flags: needinfo?(dkl)
Resolution: DUPLICATE → ---
Attached patch 1279878_1.patchSplinter Review 
Assignee: nobody → dkl
Status: REOPENED → ASSIGNED

        Attachment #8766103 -
        Flags: review?(dylan)

    
    

    
  
Comment on attachment 8766103 [details] [diff] [review]
1279878_1.patch

Review of attachment 8766103 [details] [diff] [review]:
-----------------------------------------------------------------

r=dylan

        Attachment #8766103 -
        Flags: review?(dylan) → review+

    
    

    
  
To https://github.com/mozilla-bteam/bmo.git
   7697add..19e2b19  master -> master
Status: ASSIGNED → RESOLVED
Closed: 8 years ago8 years ago
Resolution: --- → FIXED

    
    

    
  
Hi there 
is there any bounty for this vulnerability

Thanks

    
    

    
  
(In reply to Anas Roubi from comment #6)
> Hi there 
> is there any bounty for this vulnerability
> 
> Thanks

No. Due to the same reasons described in bug 1259881 comment 54.

dkl

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: