
Comma Separated Vulnerabilities - gfalcao
https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
======
paultopia
The really infuriating thing about this report is the message these terrible
applications give to users. "Links to other files?" And the inquiry about
whether those "links" should be "updated?" That's a ridiculous, terrible,
message to express "remote code execution." Just as bad is "automatic update
of links."

The hell? If I were reading this (as a sophisticated user who isn't a security
expert), I'd just assume there was some kind of weird document embedding thing
going on. Not that "link to other file" meant "RUN ARBITRARY APPLICATIONS AND
PROBABLY EXECUTE ARBITRARY CODE."

Even the warning about "To access this data Excel needs to start another
application" is incredibly deceptive. The data in a CSV is perfectly damn
accessible without Excel opening anything else. It ought to say "to execute
the commands embedded in this data, Excel needs to start another application,"
so that people bloody well know that they're not just _viewing data_ but
they're actually _doing something._

Horrible, horrible, horrible communication.

~~~
jancsika
> It ought to say "to execute the commands embedded in this data, Excel needs
> to start another application," so that people bloody well know that they're
> not just viewing data but they're actually doing something.

That's an astute observation.

Somewhat related:

Awhile back I remember seeing a demo of some Mozilla tech that would let one
rotate a web page and then view a 3d "stack" of all the DOM elements. A bit
like each layer was made up of different colors of lego blocks.

Is there some similar visualization tool to help distinguish data from code?

For example, imagine I want to use some scissors to clip some daisies on a
hilltop. I eyeball the daisies I want. When I pick up the scissors they snap a
picture of the daisies and cut 1000ft below until they split into the bedrock.
Consequently, a demon's fiery arm shoots out the hole holding my scissors,
violently cuts the daisies, then picks them up and offers them to me as a low,
rumbling voice announces: "Daisies."

Now I don't know about anyone else, but I think that experience would make me
a wee bit cautious about picking flowers. Or at least more than I would be
merely by reading a man page.

Edit: I guess to be sensible, the demon's arm would need to recede back into
the bedrock and heal the split.

~~~
floatboth
3D stack of DOM elements wasn't just a tech demo, it was actually part of the
devtools. Removed because no one reimplemented it in a way that's compatible
with multiprocess Firefox
[https://bugzilla.mozilla.org/show_bug.cgi?id=1086492](https://bugzilla.mozilla.org/show_bug.cgi?id=1086492)

~~~
gleenn
An amazing feature which was moved to a still accessible extension. Sadly I
can't remember the name right now but I found it very recently. Makes
understanding HTML nesting rapidly apparent.

~~~
technomalogical
Is this it? [https://addons.mozilla.org/en-
US/firefox/addon/tilt/](https://addons.mozilla.org/en-US/firefox/addon/tilt/)

~~~
floatboth
Yes. (And it does not work with e10s.)

------
skybrian
re: "Spreadsheet software could take steps to mitigate some of these attacks,
but preventing formula injection is ultimately the responsibility of every
application that generates spreadsheets containing user-supplied content."

Whoah, that's putting the blame in the wrong place. Spreadsheets shouldn't
look for formulas at all in plain csv files. That's not what they're for.

~~~
kalleboo
Exactly. Putting junk apostrophes in CSV files just means that when I import
CSV files into my database I now need to figure out if the apostrophe was
supposed to be there or was inserted by the exporting software.

Spreadsheet software should import formulas as plain text formatted cells, and
have an optional checkbox to "also import formulas" for people who are trying
to interchange spreadsheets they created.

------
userbinator
I've found that spreadsheet software, notably Excel, tends to be "over-
helpful" in trying to determine the format of the data it's reading in, no
doubt in an attempt to help the less-knowledgeable user; anyone who has ever
had it mangle imported data by e.g. guessing that "02-04" should somehow be a
date will be familiar with this.

It should not be surprising then, that this type of guessing behaviour could
lead to exploitable vulnerabilities.

~~~
isoprophlex
Or, what to think of the sheer idiocy of Excel blindly throwing away integers
it deems too large, replacing them by floats...

~~~
TeMPOraL
FWIW, if the imported data comes from a web app, which presumably generates it
with JavaScript, the damage is already done...

------
Kenji
All these features (like DDE) should be disabled by default, and should only
be possible to be enabled by means of an obscure and hidden menu item that
nobody can find.

------
strictnein
Was just reading a vulnerability disclosure of an example of this at Hackerone
last night (for Hackerone).

[https://hackerone.com/reports/72785](https://hackerone.com/reports/72785)

They cited this link in their report.

------
thisrod
You mean to say that, whenever I load a CSV file into LibreOffice, anything
that looks like code gets executed? Excuse me one moment while I patch that
program with rm -rf.

Thank goodness that A. W. and K. got this right 35 years ago, interpreting
data inputs as numbers and strings. Pity about the regression.

------
onychomys
This probably should have a "(2014)" on the end of the title.

~~~
danso
Anyone know the current state of these vulnerabilities? The post says it was
updated in April 2016.

~~~
Gasparila
They still exist and (as far as I know) there are no plans to do anything
about them. We (thankfully) were alerted to this issue by HackerOne before it
was an issue, but this remains an absurdly easy attack vector...

------
claudiulodro
Just implemented a CSV importer/exporter for a big release and this document
came in super helpful.

Are there any CSV exploits that can't be solved by just prefixing fields that
start with "=", "+", "-", and "@" with an apostrophe?

~~~
bobince
You might consider prefixing other fields with an apostrophe to avoid them
being misinterpreted as numbers or dates.

Unfortunately, even if you put an apostrophe on everything, problems remain:

\- the apostrophes are non-standard and assure all other CSV-handling tools
get the wrong, apostrophe-prefixed values

\- Excel itself doesn't escape fields on output, so if someone loads your
exported file into Excel, saves it and reloads it, the exploits come back

Excel is a quite frighteningly terrible tool for handling CSV.

------
nthcolumn
Old as me, this stuff is. Little consideration, security was for windows
programmers when DDE was made. Exploits leveraging stuff from Windows 3.1, I
see often.

