Excel Command Injection
Excel Command Injection
mrpaulmcgee
Posts: 4Questions: 1Answers: 0
Hi,
Has anyone created a fix for this exploit in datatables. I am using buttons plugin and exporting to excel but its been flagged as vulnerable to excel command injection. They recommend starting all cells with a quote ( ' ) to force them to be interpreted literally.
I was going to use something like this:-
exportOptions: {
format: {
body: function ( data, row, column, node ) {
return data.concat("'", data)
}
}
}
Anyone any successful fixes for this issue?
Thanks
This discussion has been closed.
Replies
Have you got a link to where that is recommended in the Open Spreadsheet specification, or wherever else this was recommended? I'd like to understand the issue a bit deeper here.
Thanks,
Allan
Hi Allan,
I use buttons excel export in our User Admininstration area whereby anyone who can see the list of users can export the table. By adding a user with first name =cmd|' /C calc'!A0 there was a vulnerability found.
The summary given to me was:-
The application supports exporting a list of users as an Excel XLSX spreadsheet. When this is done, no attempt at sanitization occurs. Any cell in the spreadsheet that can start with an equals sign (=) can be used to execute arbitrary commands when the spreadsheet is opened (or exfiltrate data from other spreadsheets that are accessible to the victim).
Remediation is recommended in the form of 'Start all cells with a single quote (') to force them to be interpreted literally by Excel.'
I have made a change to my code like this:-
I am also stripping tags first as you can see. I use the buttons export in a number of areas and I dont really want to take it out as it works well for what we need. I just thought someone else must have come across this before and maybe had a better solution.
Thanks
I've just tried a really simple change to encapsulate all of the text in cells with quotes:
at this point, but the rendered output just shows the quoted strings (i.e. with the quotes) which is what I expected.
I'm feeling there is something I'm missing here!
Allan