-
Date
-
Scope
-
Vulnerabilites
-
Critical Impact
- Remote Code Execution via csv download.
A pentest aduit was performed for the SAFE SUPPORT SERVICE at Wednesday, 2 December 2020
We started with: mng.safety-support-service.jp
Vulnerabilites founded are listed according to their impact levels, explanations, and potential recommendations.
It was found that the csv download functionality located at https://mng.safety-support-service.jp/journals/journal is vulnerable to rce.
-
Visit https://mng.safety-support-service.jp/journals/vehicle try to resgister a car name as something like *@SUM(1+1)cmd|' /C calc'!A0
-
Download the csv
-
Open it MS Excel will ask permission to enable view ..click ok... cmd.exe will pop up
Attacker can make victim download csv file and if user is not very techincal he/she will enable the view mode in Excel thus can lead to full rce
Before passing data to csv user input should be propely snatized