CWE

Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types

CWE Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (4.1)  
ID

CWE-1236: Improper Neutralization of Formula Elements in a CSV File

Weakness ID: 1236
Abstraction: Base
Structure: Simple
Status: Incomplete
Presentation Filter:
+ Description
The software saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software.
+ Extended Description
User-provided data is often saved to traditional databases. This data can be exported to a CSV file, which allows users to read the data using spreadsheet software such as Excel, Numbers, or Calc. This software interprets entries beginning with '=' as formulae, which are then executed by the spreadsheet software. The software's formula language often allows methods to access hyperlinks or the local command line, and frequently allows enough characters to invoke an entire script. Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software.
+ Alternate Terms
CSV Injection
Formula Injection
Excel Macro Injection
+ Relationships

The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

+ Relevant to the view "Research Concepts" (CWE-1000)
NatureTypeIDName
ChildOfClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
+ Relevant to the view "Software Development" (CWE-699)
NatureTypeIDName
MemberOfCategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.137Data Neutralization Issues
+ Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

PhaseNote
ImplementationThe weakness is in the implementation of a software's CSV export feature, in particular how it formats formula entries as the output gets flattened into a text file.
+ Applicable Platforms
The listings below show possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.

Languages

Class: Language-Independent (Undetermined Prevalence)

Operating Systems

Class: OS-Independent (Undetermined Prevalence)

Architectures

Class: Architecture-Independent (Undetermined Prevalence)

Technologies

Other (Undetermined Prevalence)

+ Common Consequences

The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Confidentiality

Technical Impact: Read Application Data; Execute Unauthorized Code or Commands

Current versions of Excel warn users of untrusted content.
Low
+ Demonstrative Examples

Example 1

Hyperlinks or other commands can be executed when a cell begins with the formula identifier, '='

(attack code)
Example Language: Other 

=HYPERLINK(link_location, [friendly_name])

Stripping the leading equals sign, or simply not executing formulas from untrusted sources, impedes malicious activity.

(good code)
 

HYPERLINK(link_location, [friendly_name])

+ Observed Examples
ReferenceDescription
Low privileged user can trigger CSV injection through a contact form field value
Cloud management product allows arbitrary command execution via CSV injection
CSV injection in content management system via formula code in a first or last name
+ Potential Mitigations

Phase: Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Effectiveness: Moderate

Note: Unfortunately, there is no perfect solution, since different spreadsheet products act differently.

Phase: Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Effectiveness: Moderate

Note: It is not clear how effective this mitigation is with other spreadsheet software.

Phase: Architecture and Design

Certain implementations of spreadsheet software might disallow formulae from executing if the file is untrusted, or if the file is not authored by the current user.

Effectiveness: Limited

Note: This mitigation has limited effectiveness because it often depends on end users opening spreadsheet software safely.
+ References
[REF-21] OWASP. "CSV Injection". 2020-02-02. <https://owasp.org/www-community/attacks/CSV_Injection>.
[REF-22] Jamie Rougvie. "Data Extraction to Command Execution CSV Injection". 2019-09-06. <https://www.veracode.com/blog/secure-development/data-extraction-command-execution-csv-injection>.
[REF-23] George Mauer. "The Absurdly Underestimated Dangers of CSV Injection". 2017-10-07. <http://georgemauer.net/2017/10/07/csv-injection.html>.
[REF-24] James Kettle. "Comma Separated Vulnerabilities". 2014-08-29. <https://www.contextis.com/en/blog/comma-separated-vulnerabilities>.
+ Content History
+ Submissions
Submission DateSubmitterOrganization
2019-11-21CWE Content TeamMITRE
More information is available — Please select a different filter.
Page Last Updated: June 25, 2020