CVE-2020-28848: CSV Injection Vulnerability · Issue #5465 · ChurchCRM/CRM

Vulnerability Name: CSV Injection/ Formula Injection
Severity: High
Description: CSV Injection (aka Excel Macro Injection or Formula Injection) exists in List Event Types feature in ChurchCRM v4.2.0 via Name field that is mistreated while exporting to a CSV file.
Impact: Arbitrary formulas can be injected into CSV files which can lead to remote code execution at the client or data leakage via maliciously injected hyper-links.
Version Affected: 4.2.0
Payload Used: =10+20+cmd|’ /C calc’!A0
Vulnerable URL: master/EventNames.php
Vulnerable Parameters: Name
Steps to Reproduce:

1. Login to the application, goto ‘Events’ module and then “List Event Types”
2. Edit any event and inject the payload =10+20+cmd|’ /C calc’!A0 in the ‘Name’ field
3. Now goto ‘List Event types’ module and click CSV to download the CSV file
4. Open the CSV file, allow all popups and our payload is executed (calculator is opened).

Note: Incase the payload does not execute, then enable ‘External Content’ and ‘Macro’ settings in Excel. Goto Excel > File > Options > Trust Center > Trust Center Settings > Macro/External Content.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12134
http://cwe.mitre.org/data/definitions/1236.html

Just to confirm, this is not an issue with our CSV import but if a row had bad data the exported CVS has an issue. We use https://datatables.net/ if you have a chance, maybe you can help see if they have fixed that.

@DawoudIO I think the problem lies in the export feature. It would be nice to have an option in download csv to escape strings that begin with “+",”-","@", or “=” by prepending "\t".
For any cell that begins with one of the formula triggering characters =, -, +, or @, you should directly prefix it with a tab character.

I’m not seeing how this is a particularly useful bug report. Anyone can create a CSV file with any arbitrary text in it using any text editor or text generation tool. How using ChurchCRM to generate a CSV with questionable content is a “bug” leaves me perplexed. For example, this logic implies the bash echo command has this same “bug” too:

echo -e “Header 1, Header 2, Header 3\n1,=10+20+cmd|’ /C calc’!A0,Foo bar\n2,Hello world,Text text” > test.csv

If there was a method to use unauthenticated access to ChurchCRM that allowed insertion of arbitrary data values AND generate a CSV AND somehow send that somewhere then maybe I’d consider this a flaw in ChurchCRM. Maybe I’m missing something?

I understand that this vulnerability would be much impactful if any unauthenticated user would be able to inject the payload resulting into code execution on the internal user’s system. However this could also be impactful, if any internal user of the application enters the payload which results into impacting all the other user of the application. Here the payload is entered on ChurchCRM application leaving the application at fault to generate a file which can execute malicious commands on the user’s system. A user may embed Dynamic Data Exchange (DDE) formulas to perform code execution, download a backdoor, open a malicious website etc.
The legitimate user may download the file because of following reasons:

1. The user trusts the site that the content is coming from.
2. The user assumes that it is only a csv file and that it won’t contain functions or macro’s and won’t care about any warnings from Excel about potential malicious functionality in the file.

https://owasp.org/www-community/attacks/CSV_Injection#:~:text=CSV%20Injection%2C%20also%20known%20as,the%20software%20as%20a%20formula.
https://payatu.com/csv-injection-basic-to-exploit

Feel free to create a PR.