{"id":16703,"date":"2021-07-08T13:21:37","date_gmt":"2021-07-08T11:21:37","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0052\/"},"modified":"2021-07-19T14:16:51","modified_gmt":"2021-07-19T12:16:51","slug":"usd-2020-0052","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0052\/","title":{"rendered":"usd-2020-0052"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<h1 class=\"h-custom-headline usd-small-letters h2\"><span>usd-2020-0052 | Gophish v0.10.1<\/span><\/h1>\n<p><span><\/span><br \/><strong>Advisory ID<\/strong><span>: usd-2020-0052<\/span><br \/><strong>CVE Number<\/strong><span>: CVE-2020-24707<\/span><br \/><strong>Affected Product<\/strong><span>: Gophish<\/span><br \/><strong>Affected Version<\/strong><span>: v0.10.1<\/span><br \/><strong>Vulnerability Type<\/strong><span>: CSV Injection<\/span><br \/><strong>Security Risk<\/strong><span>: Medium<\/span><br \/><strong>Vendor URL<\/strong><span>: <a href=\"https:\/\/getgophish.com\/\" target=\"_blank\" rel=\"noopener\">https:\/\/getgophish.com\/<\/a><\/span><br \/><strong>Vendor Status<\/strong><span>: Fixed<\/span><\/p>\n<h3><\/h3>\n<h3>Description<\/h3>\n<p><span>Gophish allows the creation of CSV sheets which contain malicious content.<\/span><\/p>\n<p><span><\/span><\/p>\n<h3>Proof of Concept (PoC)<\/h3>\n<p>The following screenshots show how a spreadsheet formula that is injected as the first name of a mail recipient executes when opened in a spreadsheet software such as Libreoffice Calc.<\/p>\n<p>Inject Spreadsheet formular <code>(=1+1)<\/code> at <code>\/groups<\/code><\/p>\n<p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200052-1.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd20200052-1\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<p><span>Launch a campaign at <\/span><code>\/campaigns<\/code><\/p>\n<p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200052-2.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd20200052-2\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<p><span>Export campaign results as CSV and open the file using LibreOffice Calc<\/span><\/p>\n<p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200052-3.png\" title_text=\"usd20200052-3\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<div class=\"e16902-22 x-container max width\">\n<div class=\"e16902-23 x-column x-sm x-1-1\">\n<p>Most spreadsheet software supports the functionality of formulas as for example OpenOffice Calc or Microsoft Office Excel. Here, any cell starting with an equal- (=), a plus- (+) or a minus-sign (-) will be interpreted as a formula and may contain malicious code as shown in the example above. Additionally, older software versions interpret cells starting with an at-sign (@) as formulas as well.<\/p>\n<p>For OpenOffice, this vulnerability is classified as CVE-2014-3524 which emphasizes the risk of unfiltered spreadsheets. Due to this vulnerability, an attacker can take over the control of a victim\u2019s system or gain unauthorized access to private resources.<\/p>\n<h3>Fix<\/h3>\n<p><span>It is recommended to restrict the set of allowed characters as much as possible for all user input. This can, for example, be realized with a whitelist.<\/span><br \/><span>Additionally, every cell that starts with an equal- (=), a plus- (+), a minus- (-) or an at-sign (@), or contains a comma (,) or a semicolon (;) should be embedded in double quotes (\u201e) when generating spreadsheets, such as csv, xls or xlsx files, automatically. Furthermore, every double quote occurring within the content of a cell should be preceded by another double quote to avoid an early termination of the quoted string. In order to achieve this, a suitable library can be used.<\/span><\/p>\n<h3><\/h3>\n<h3>Timeline<\/h3>\n<ul>\n<li>2020-06-18 First contact request via security@getgophish.com<\/li>\n<li>2020-06-22 Vendor responds to initial contact<\/li>\n<li>2020-07-25 Vendor publishes a fix <a href=\"https:\/\/github.com\/gophish\/gophish\/commit\/b25f5ac5e468f6730e377f43c7995e18f8fccc2b\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/gophish\/gophish\/commit\/b25f5ac5e468f6730e377f43c7995e18f8fccc2b<\/a><\/li>\n<li>2020-09-29 Security advisory released<\/li>\n<\/ul>\n<h3><\/h3>\n<h3>Credits<\/h3>\n<p><span>This security vulnerability was found by Marcus Nilsson of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2020-0052 | Gophish v0.10.1 Advisory ID: usd-2020-0052CVE Number: CVE-2020-24707Affected Product: GophishAffected Version: v0.10.1Vulnerability Type: CSV InjectionSecurity Risk: MediumVendor URL: https:\/\/getgophish.com\/Vendor Status: Fixed Description Gophish allows the creation of CSV sheets which contain malicious content. Proof of Concept (PoC) The following screenshots show how a spreadsheet formula that is injected as the first name of a [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16703","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16703","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16703"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16703\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16703"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}