The Absurdly Underestimated Dangers of CSV Injection
This would seem like a reason to stop using CSV as an intermediate format, but I don't think that's an option. I know for my shop it sure as heck isn't.
That isn’t actually a CSV vulnerability, it is an Excel vulnerability. Further, it presumes that the CSV itself is compromised. The article’s assertions that “hey it's my CSV file” aren’t quite right: if the CSV file comes through your secure processes then it is secure; anything else is not. Opening a CSV you get through an email and clicking “trusted” is blatant stupidity.
closed account (E0p9LyTq)
@Duthomhas,
How DARE you make sense. Some people want to run around. screaming and shouting. ;)
How DARE you make sense. Some people want to run around. screaming and shouting. ;)
closed account (E0p9LyTq)
| This would seem like a reason to stop using CSV as an intermediate format |
Just don't trust an unknown, insecure source for data as being hack-free.
If I didn't personally create the file, I don't trust it to be error-/hack-free.
I would open an unknown CSV file without thinking if I wanted to know what was inside. My philosophy is that I should be able to open data files without danger. Of course, if it were a script file, I wouldn't run it unless I trusted the source but CSV stands for comma-separated values and that doesn't give me the impression that it is a script file.
Last edited on
Agree with @Duthomas that it's an Excel vulnerability. However, it's quite a dangerous one.
If I saw that warning coming from Excel I would probably be so intrigued that I would list the file to find out what was going on.
The real dangers that I see with this are:
(1) That file would easily bypass any security system (like email filters, virus checkers etc.) without demur.
(2) If a human operative is actually using Excel here then they will (hopefully) respond sensibly to the warning. But what if it was being run by an automatic batch system in the absence of human intervention?
(3) The "thin-end-of-the-wedge" nature: this suggests that there might be other things you could do with Excel files.
(4) YOU might be sufficiently computer-savvy to take note of the warning, but I'm not sure that my children in their younger days, or my less technically-minded elderly parents would.
Thank-you for posting it @Thomas1965.
If I saw that warning coming from Excel I would probably be so intrigued that I would list the file to find out what was going on.
The real dangers that I see with this are:
(1) That file would easily bypass any security system (like email filters, virus checkers etc.) without demur.
(2) If a human operative is actually using Excel here then they will (hopefully) respond sensibly to the warning. But what if it was being run by an automatic batch system in the absence of human intervention?
(3) The "thin-end-of-the-wedge" nature: this suggests that there might be other things you could do with Excel files.
(4) YOU might be sufficiently computer-savvy to take note of the warning, but I'm not sure that my children in their younger days, or my less technically-minded elderly parents would.
Thank-you for posting it @Thomas1965.
@lastchance
Therein is the true problem: (PE)BCAK. Even corporate types who should know better (such as those setting up batch processes) are often wholly unaware of the danger.
@FurryGuy
Sounds like a party!
Therein is the true problem: (PE)BCAK. Even corporate types who should know better (such as those setting up batch processes) are often wholly unaware of the danger.
@FurryGuy
Sounds like a party!
@FurryGuy: That works for you and me, but I'm responsible for more than just myself in my company. I have users that spend multiple hours a day manually editing letters because regardless of how many times I show them, mail-merge might as well be a magic spell.
closed account (E0p9LyTq)
| I have users that spend multiple hours a day manually editing letters because regardless of how many times I show them, mail-merge might as well be a magic spell |
Doubtful they will ever write Shakespeare plays.
Being a non-professional. still learning programmer, or by my own bootstraps computer nerd tech support, I know I have run across my fair share of people that make me inwardly regret ever letting people know I "know" computerese. In any form.
Topic archived. No new replies allowed.