CSV Macro Injection – CVE-2018-9106, 9107

Hi, Today i would like to disclose an interesting vulnerability in Joomla Extensions that i’ve explored last week.

Vendor Description:

AcyMailing is a reliable Newsletter and email marketing extension for Joomla.
It enables you to efficiently manage an unlimited number of subscribers, organize them into mailing lists, send personalized newsletters (Hi {name}…)

AcySMS is a component which enables you to send follow-up campaigns, auto-responders, newsletters, promotions, special offers, automated messages… via SMS/Text Messages.

Technical Description:

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.

When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with ‘=’ will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:

  • Hijacking the user’s computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524
  • Hijacking the user’s computer by exploiting the user’s tendency to ignore security warnings in spreadsheets that they downloaded from their own website
  • Exfiltrating contents from the spreadsheet, or other open spreadsheets.

Proof Of Concept:

Acymailing Starter component in Joomla provide a feature where user data can be exported as CSV format for later use.

So it was found to be there is no validation on CSV file which is exported by user. We can perform CSV Formula Injection here.

 

After reporting to Acyba Team, they patched it very quickly (< 24hrs) and Mitre Team provided CVE-2018-9107

Same was found in AcySMS extension as well.

 

CVE assigned as CVE-2018-9106

Collecting CVE’s is fun isn’t it 🙂 My Git RepoMrR3boot

Learn < Hack > Have Fun

References:

 

MrR3boot

An Active Bug Hunter and Exploit Researcher. Reported several bugs to top tech giants like Microsoft, Google, Intel, Us.Dept of Defense etc. PHP Lover. Blogger. Other than hacking he loves Travelling, Exploring the world. Git-Ref: https://github.com/MrR3boot/

More Posts - Website

Follow Me:
TwitterFacebookLinkedIn

Leave A Comment

Your email address will not be published. Required fields are marked *