You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Sebb (JIRA)" <ji...@apache.org> on 2017/02/15 21:20:42 UTC

[jira] [Resolved] (CSV-199) CSVFormat option to defend against CSV Excel Macro Injection (CEMI) attacks

     [ https://issues.apache.org/jira/browse/CSV-199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sebb resolved CSV-199.
----------------------
    Resolution: Won't Fix

I agree, this is out of scope for CSV and all but impossible to implement reliably anyway.

> CSVFormat option to defend against CSV Excel Macro Injection (CEMI) attacks
> ---------------------------------------------------------------------------
>
>                 Key: CSV-199
>                 URL: https://issues.apache.org/jira/browse/CSV-199
>             Project: Commons CSV
>          Issue Type: New Feature
>          Components: Printer
>    Affects Versions: 1.4
>            Reporter: Phil Varner
>             Fix For: Discussion
>
>
> A common use for Commons CSV is to export user-generated data for analysis in spreadsheet software like Excel.  One attack against this usage is for a user to create data that appears as a formula to Excel, such that excel executes it.  For example, a simple non-malicious example of this is a u CSV file like:
> {code}
> Name,Email,Favorite Color
> Aaron Aaronson,aa@example.com,=1+1
> {code}
> When opened, Excel will execute the macro and display "2".  A malicious example could, for example, use "=cmd|' /C calc'!A0", causing a command prompt to be opened. 
> This can be exploited with values starting with =, +, -, or .
> This feature would add a flag to CSVFormat called "escapeFormulas" that would defend against creating vulnerable CSV files like this by prepending a single-quote to any CSV column value starting with the four aforementioned characters.  Also added would be a predefined format EXCEL_WITHOUT_FORMULAS that could be used for safely exporting data that was not intended to contain formulas. 
> I believe it is important to add this as a feature to CSVFormat rather than relying on users to manually escape formulas because many users do not know about this security vulnerability, but would prefer to defend against it if aware. 
> More information:
> https://www.owasp.org/index.php/CSV_Excel_Macro_Injection
> https://hackerone.com/reports/72785
> http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)