CWE-1236: Improper Neutralization of Formula Elements in a CSV FileWeakness ID: 1236 Vulnerability Mapping:
ALLOWEDThis CWE ID may be used to map to real-world vulnerabilities Abstraction: BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. |
Description The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Extended Description User-provided data is often saved to traditional databases. This data can be exported to a CSV file, which allows users to read the data using spreadsheet software such as Excel, Numbers, or Calc. This software interprets entries beginning with '=' as formulas, which are then executed by the spreadsheet software. The software's formula language often allows methods to access hyperlinks or the local command line, and frequently allows enough characters to invoke an entire script. Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Alternate Terms
CSV Injection | |
Formula Injection | |
Excel Macro Injection | |
Common Consequences This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.Scope | Impact | Likelihood |
---|
Confidentiality
| Technical Impact: Read Application Data; Execute Unauthorized Code or Commands Current versions of Excel warn users of untrusted content. | Low |
Potential Mitigations
Phase: Implementation When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at). Note: Unfortunately, there is no perfect solution, since different spreadsheet products act differently. |
Phase: Implementation If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula. Note: It is not clear how effective this mitigation is with other spreadsheet software. |
Phase: Architecture and Design Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user. Note: This mitigation has limited effectiveness because it often depends on end users opening spreadsheet software safely. |
Relationships Modes Of Introduction The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.Phase | Note |
---|
Implementation | The weakness is in the implementation of a software's CSV export feature, in particular how it formats formula entries as the output gets flattened into a text file. |
Demonstrative Examples Example 1 Hyperlinks or other commands can be executed when a cell begins with the formula identifier, '=' (attack code) Example Language: Other
=HYPERLINK(link_location, [friendly_name])
Stripping the leading equals sign, or simply not executing formulas from untrusted sources, impedes malicious activity.
HYPERLINK(link_location, [friendly_name])
Observed Examples Reference | Description |
| Low privileged user can trigger CSV injection through a contact form field value |
| Cloud management product allows arbitrary command execution via CSV injection |
| CSV injection in content management system via formula code in a first or last name |
Memberships This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources. Vulnerability Mapping Notes Usage: ALLOWED (this CWE ID could be used to map to real-world vulnerabilities) | Reason: Acceptable-Use | Rationale: This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. | Comments: Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. |
References
More information is available — Please edit the custom filter or select a different filter.
|