View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 252
IDProjectCategoryView StatusDate SubmittedLast Update
19253Bug reportsSecuritypublic2023-11-20 12:152023-11-20 12:16
ReporterDenisChenu Assigned To 
PrioritynoneSeverityminor 
Status newResolutionopen 
Product Version6.3.x 
Summary19253: CSV injection in export quota
Description

When using a spreadsheet program like Microsoft Excel or LibreOffice Calc to open a CSV file, the software interprets any cell that begins with "=" as a formula. CSV injection, also known as formula injection, occurs when websites incorporate user-supplied data into CSV files without proper validation.

Steps To Reproduce

Steps to reproduce

(Replace this text with detailed step-by-step instructions on how to reproduce the issue)

Expected result

(Write here what you expected to happen)

Actual result

(Write here what happened instead)

TagsNo tags attached.
Bug heat252
Complete LimeSurvey version number (& build)6.3.1+231023
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Users monitoring this issue

User List There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2023-11-20 12:15

developer   ~78530

https://bugs.limesurvey.org/view.php?id=19252

========
When using a spreadsheet program like Microsoft Excel or LibreOffice Calc to open a CSV file, the software interprets any cell that begins with "=" as a formula. CSV injection, also known as formula injection, occurs when websites incorporate user-supplied data into CSV files without proper validation.

It has been detected the possibility of injecting CSV formulas into the titles of survey quotas, which can subsequently be exported to CSV.

To mitigate this vulnerability, it is recommended to validate the input entered by a user to ensure that no cell begins with any of the following characters:

Equal to ("=")
Plus ("+")
Minus ("-")
At ("@")"

On its own, this functionality would not have a high impact, as the CSV quotas can only be exported by the same user. However, considering the vulnerability which allows the editing of quotas belonging to others, an attacker could add malicious formulas to another user, which would be executed when that user exports their quotas.

5.png (90,281 bytes)   
5.png (90,281 bytes)   
6.png (118,467 bytes)

Issue History

Date Modified Username Field Change
2023-11-20 12:15 DenisChenu New Issue
2023-11-20 12:15 DenisChenu Note Added: 78530
2023-11-20 12:15 DenisChenu File Added: 5.png
2023-11-20 12:15 DenisChenu File Added: 6.png
2023-11-20 12:15 DenisChenu Bug heat 250 => 252