Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
4
-
Description
If the filed value in the CSV file exported from Jira contains a formula to execute some command, Excel (with specific settings) will execute it
Example:
- An intruder is creating a new user with a username containing a formula e.g. =cmd|' /C notepad'!'A1
- Some action that is being recorded in the Audit log (e.g. change of user's First/Last name) is being performed on behalf of that new user
- Later, the Audit log is exported as a CSV file (having the malicious username in one of the fields)
- Excel has the following Trust Center Settings:
- External Content > “Enable Dynamic Data Exchange Server Launch”
- When the malicious CSV file is opened and the user clicks on “Enable” and “Yes” for every prompt, the injected formula will execute.
The suggestion is for Jira to sanitise the fields in the exported CSV files:
- Ensure that no cells begin with any of the following characters:
- Equals to (=)
- Plus
- Minus
- At (@)
- Tab (0x09)
- Carriage return (0x0D)
- Alternatively, apply the following sanitization to each field of the CSV, so that their content will be read as text by the spreadsheet editor:
- Wrap each cell field in double quotes
- Prepend each cell field with a single quote
- Escape every double quote using an additional double quote