Arxes Tolina CSV Injection

Background

We discovered a security issue within the arxes-tolina web application with version 3.0.0. It is a software used for performing a credit risk rating of business parties. An attacker can input malicious commands embedded within the formula data of a spreadsheet, due to a lack of sufficient input filtering. This allows users to become compromised should they open the injected spreadsheet that was exported as a CSV file and opened via tools like Microsoft Excel or LibreOffice. The attacker can infect users with malware and gain control over their machine, if the malicious code is executed successfully.

Steps to Reproduce

Upon creating a new company entry, a malicious user is able to enter formula code into the "Firma" field. Users with adequate permissions, could export and download all the existing companies in the database as a CSV file. If the infected CSV file is opened with Microsoft Excel, and the user accepts the warning from Excel that the program "cmd .exe" will be executed upon opening the document, the malicious formula code will be executed. In this example, the value "= cmd|'/ Ccalc'!A0" was used as the company name, for the example proof of concept attack. The formula is then interpreted by Excel and the embedded commands are executed.

Root Cause

This issue exists due to insufficient input filtering. In order to mitigate the issue, we recommend sanitizing cells that begin with any special character that may trigger the execution of a formula such as "=", "+", "@" or "-". By prepending a single quote or apostrophe (') character to the field’s content may avoid the content of the cell from being interpreted as a formula.

Fix

The issue was reported to arxes-tolina but we are not aware whether a fix has been implemented.

Credit

Credit for finding and reporting the issue: 

Evgeni Sabev (Deloitte)