- Component Type: 3rd party extensions (not being part of TYPO3 default installation)
- Release Date: July 20, 2021
- Impact: CSV Code Injection
- Type: Advisory
CSV code injection is an attack scenario, where untrusted user input is written to a CSV file and leads to the execution of code (formulas) when the file is consumed by an external application (e.g. Microsoft Excel or Google Sheets). As a result, this may lead to Data Exfiltration or Remote Code Execution on the victim's computer.
As an example, an attacker might enter potentially dangerous formulas to the contact form of a TYPO3 website which will be saved to the database on form submission. If the data is exported as a CSV file and imported in Microsoft Excel, the formulas may be executed.
A successful attack scenario however always depends on how exported data is consumed and how the consuming application is configured. Importing a CSV file to Microsoft Excel is a typical use case and might result in CSV code injection if the user ignores all warnings about potential unsafe macros, but there are various other use cases, where CSV data for example is consumed in other applications and crafted formulas are ignored.
If it is required to escape user input with potential malicious formulas, we recommend escaping user input as described in this OWASP article. The TYPO3 core function TYPO3\CMS\Core\Utility\CsvUtility::csvValues() has been adapted to escape all exported data by default - as a result, potential CSV control characters are removed. This feature is configurable, so it is still possible to generate CSV data that contains user input as is - which might be useful when CSV data is only used for machine-to-machine communication.
TYPO3 extension authors who provide an extension with a CSV export functionality are advised to implement similar escaping functionality as described in the linked OWASP article.
The TYPO3 security team will not classify extensions with missing escaping functionality as vulnerable, since we believe that the requirement to escape content always depends on how data is consumed individually. Therefore, CSV code injection has also been added as a non-qualifying vulnerability to our bug bounty program.
Credits go to Sarah Raffaella Basel, Sybille Peters and Thorsten Kamp who reported the issue.