CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated this is not a security problem in DokuWiki.
Weakness
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Dokuwiki | Dokuwiki | * | 2018-04-22a (including) |
| Dokuwiki | Ubuntu | bionic | * |
| Dokuwiki | Ubuntu | cosmic | * |
| Dokuwiki | Ubuntu | disco | * |
| Dokuwiki | Ubuntu | eoan | * |
| Dokuwiki | Ubuntu | groovy | * |
| Dokuwiki | Ubuntu | hirsute | * |
| Dokuwiki | Ubuntu | impish | * |
| Dokuwiki | Ubuntu | kinetic | * |
| Dokuwiki | Ubuntu | lunar | * |
| Dokuwiki | Ubuntu | mantic | * |
| Dokuwiki | Ubuntu | trusty | * |
| Dokuwiki | Ubuntu | xenial | * |
Potential Mitigations
References
- https://github.com/splitbrain/dokuwiki/issues/2450
- https://seclists.org/fulldisclosure/2018/Sep/4
- https://www.patreon.com/posts/unfixed-security-21250652
- https://www.sec-consult.com/en/blog/advisories/dokuwiki-csv-formula-injection-vulnerability/
- https://github.com/splitbrain/dokuwiki/issues/2450
- https://seclists.org/fulldisclosure/2018/Sep/4
- https://www.patreon.com/posts/unfixed-security-21250652
- https://www.sec-consult.com/en/blog/advisories/dokuwiki-csv-formula-injection-vulnerability/