Mahara

Exporting of CSV files needs to sanitize data

Bug #1930471 reported by Robert Lyon
254
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Unassigned
Mahara 21.10.0
20.04
Fix Released
High
Unassigned
Mahara 20.04.5
20.10
Fix Released
High
Unassigned
Mahara 20.10.3
21.04
Fix Released
High
Unassigned
Mahara 21.04.2

Bug Description

When we export CSV files, like we do in the reports pages, we don't sanitize the output.

This means if a person saves data (like their username) beginning with certain characters, eg = or + etc then the data when added into a spreadsheet program will interpret the value as a command.

This allows one to create a malicious string so that they can exploit spreadsheet vulnerabilities.

Though this exploit isn't effecting Mahara itself - it can be the vector of transmission.

It will be best if we sanitize the CSV exports to avoid this.
A suggestion is to add a TAB character before any string that begins with a susceptible character

CVE References

Revision history for this message
Robert Lyon (robertl-9) wrote :

https://reviews.mahara.org/#/c/11819/

Revision history for this message
Robert Lyon (robertl-9) wrote :

The offending characters as per owasp.org

Equals to (=)
Plus (+)
Minus (-)
At (@)
Tab (0x09)
Carriage return (0x0D)

Revision history for this message
Robert Lyon (robertl-9) wrote :

A potential exploit example

Making a username be:

='file:///etc/passwd'#$passwd.A1

then selecting person via Admin -> People page and exporting CSV of them

Kristina Hoeppner (kris-hoeppner)
Changed in mahara:
status: Confirmed → In Progress
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote (last edit ):

For the security forum post:

Vulnerability type: Other (CSV Injection)
Attack type: Local
Impact: Code execution

Affected components: Exported CSV files with personal data that are imported into a spreadsheet software
Attack vectors: If a person saves data (like their username) beginning with certain characters, e.g. = or + etc. then the data when added into a spreadsheet program will be interpreted as a command. This allows one to create a malicious string so that they can exploit spreadsheet vulnerabilities. Mahara itself is not vulnerable, but it can be the vector of transmission.

Suggested description: In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exported CSV files could contain characters that a spreadsheet program could interpret as a command and execute a malicious string locally on a device.

Reported by: Saksham Anand (Catalyst IT)
Bug report: https://bugs.launchpad.net/mahara/+bug/1930471
CVE reference: CVE-2021-40848

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12135
Committed: https://git.mahara.org/mahara/mahara/commit/941740b3f796316659d379819ffe7db93651df2e
Submitter: Robert Lyon (<email address hidden>)
Branch: main

commit 941740b3f796316659d379819ffe7db93651df2e
Author: Robert Lyon <email address hidden>
Date: Thu Jun 3 12:20:23 2021 +1200

Security bug 1930471: Make exported CSV data safer

To avoid data exported from Mahara causing a CSV injection security
issue when imported in a spreadsheet program

Change-Id: Iedc258f33f1ca4e24fcb15f565da28828ef361ee
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "21.10_DEV" branch: https://reviews.mahara.org/12194

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12194
Committed: https://git.mahara.org/mahara/mahara/commit/697a0c08dc3f0d433ec3941c84cc527e10962c0c
Submitter: Robert Lyon (<email address hidden>)
Branch: 21.10_DEV

commit 697a0c08dc3f0d433ec3941c84cc527e10962c0c
Author: Robert Lyon <email address hidden>
Date: Thu Jun 3 12:20:23 2021 +1200

Security bug 1930471: Make exported CSV data safer

To avoid data exported from Mahara causing a CSV injection security
issue when imported in a spreadsheet program

Change-Id: Iedc258f33f1ca4e24fcb15f565da28828ef361ee
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 941740b3f796316659d379819ffe7db93651df2e)

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "21.04_STABLE" branch: https://reviews.mahara.org/12195

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "20.10_STABLE" branch: https://reviews.mahara.org/12196

Kristina Hoeppner (kris-hoeppner)
no longer affects: mahara/21.10
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12197
Committed: https://git.mahara.org/mahara/mahara/commit/da329097ae4c5ec77703643e0f3b79db4fb9e596
Submitter: Robert Lyon (<email address hidden>)
Branch: 20.04_STABLE

commit da329097ae4c5ec77703643e0f3b79db4fb9e596
Author: Robert Lyon <email address hidden>
Date: Thu Jun 3 12:20:23 2021 +1200

Security bug 1930471: Make exported CSV data safer

To avoid data exported from Mahara causing a CSV injection security
issue when imported in a spreadsheet program

Change-Id: Iedc258f33f1ca4e24fcb15f565da28828ef361ee
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 941740b3f796316659d379819ffe7db93651df2e)
(cherry picked from commit 697a0c08dc3f0d433ec3941c84cc527e10962c0c)

Robert Lyon (robertl-9)
information type: Private Security → Public Security
Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/12195
Committed: https://git.mahara.org/mahara/mahara/commit/63b6f18c0a437b606fa6354d270e87263067e259
Submitter: Gold (<email address hidden>)
Branch: 21.04_STABLE

commit 63b6f18c0a437b606fa6354d270e87263067e259
Author: Robert Lyon <email address hidden>
Date: Thu Jun 3 12:20:23 2021 +1200

Security bug 1930471: Make exported CSV data safer

To avoid data exported from Mahara causing a CSV injection security
issue when imported in a spreadsheet program

Change-Id: Iedc258f33f1ca4e24fcb15f565da28828ef361ee
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 941740b3f796316659d379819ffe7db93651df2e)
(cherry picked from commit 697a0c08dc3f0d433ec3941c84cc527e10962c0c)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/12196
Committed: https://git.mahara.org/mahara/mahara/commit/27de027be855d351bc5dfe289e50fb0496e4c24d
Submitter: Robert Lyon (<email address hidden>)
Branch: 20.10_STABLE

commit 27de027be855d351bc5dfe289e50fb0496e4c24d
Author: Robert Lyon <email address hidden>
Date: Thu Jun 3 12:20:23 2021 +1200

Security bug 1930471: Make exported CSV data safer

To avoid data exported from Mahara causing a CSV injection security
issue when imported in a spreadsheet program

Change-Id: Iedc258f33f1ca4e24fcb15f565da28828ef361ee
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 941740b3f796316659d379819ffe7db93651df2e)
(cherry picked from commit 697a0c08dc3f0d433ec3941c84cc527e10962c0c)

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.