projectSend r1605 - CSV injection

Exploit Author: Mirabbas Ağalarov Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-06-14 
Exploit Title: projectSend r1605 - CSV injection
Version: r1605
Bugs:  CSV Injection
Technology: PHP
Vendor URL: https://www.projectsend.org/
Software Link: https://www.projectsend.org/
Date of found: 11-06-2023
Author: Mirabbas Ağalarov
Tested on: Windows


2. Technical Details & POC
========================================
Step 1. login as user
step 2. Go to My Account ( http://localhost/users-edit.php?id=2 )
step 3. Set name as  =calc|a!z|
step 3. If admin Export action-log as CSV  file ,in The computer of admin  occurs csv injection and will open calculator ( http://localhost/actions-log.php )

payload: =calc|a!z|


projectSend r1605 – CSV Injection Vulnerability: A Deep Dive into a Critical Security Flaw

On June 11, 2023, cybersecurity researcher Mirabbas Ağalarov uncovered a critical vulnerability in the projectSend r1605 open-source project management platform. The flaw, identified as CSV injection, enables attackers to execute arbitrary commands on systems through seemingly benign CSV file exports. This exploit leverages a fundamental misunderstanding of how CSV files are interpreted by spreadsheet applications, particularly Microsoft Excel.

Understanding CSV Injection: The Core Concept

CSV (Comma-Separated Values) files are widely used for data exchange. While they appear simple, their format is interpreted by applications like Excel, Google Sheets, and LibreOffice in ways that can lead to unintended behavior. When a CSV cell begins with certain special characters—such as =, +, -, or @—the application treats it as a formula rather than plain text.

This behavior is exploited in CSV injection attacks. An attacker crafts a payload that starts with = followed by a command or script, which gets executed when the file is opened in a spreadsheet application.

Exploit in Action: The projectSend r1605 Case Study

The vulnerability was discovered in the actions-log.php and users-edit.php components of projectSend r1605. Here’s how the attack chain unfolds:

  • Step 1: An authenticated user logs into the system.
  • Step 2: The user navigates to My Account via http://localhost/users-edit.php?id=2.
  • Step 3: The attacker modifies the user's name field to include the malicious payload: =calc|a!z|.
  • Step 4: An administrator, unaware of the malicious input, exports the actions-log.php data as a CSV file.
  • Result: When the CSV file is opened in Excel or similar software, the formula =calc|a!z| triggers the Windows Calculator application.

Technical Breakdown: How the Payload Works

=calc|a!z|

This payload is crafted to exploit Excel’s formula parsing mechanism. The = prefix tells Excel to interpret the content as a formula. The calc portion is a recognized command in Windows that launches the calculator application. The |a!z| part is a placeholder used to bypass validation checks and ensure the payload remains intact when parsed.

While calc is not a standard Excel function, Excel’s formula engine interprets it as a command to execute an external program. This behavior is not documented in official Excel specifications but has been observed in various environments, particularly on Windows systems.

Why This Is Dangerous

CSV injection is often overlooked because it appears harmless. However, its real-world impact can be severe:

  • Remote Code Execution: Beyond launching calculators, attackers can execute cmd commands, launch netcat, or initiate reverse shells.
  • Phishing & Social Engineering: Malicious CSV files can redirect users to phishing sites or trigger unwanted actions.
  • Privilege Escalation: If the exported file is opened by an administrator, the attacker can gain elevated access.

This vulnerability demonstrates how a simple input field—such as a user’s name—can become a vector for serious security breaches.

Real-World Impact and Mitigation

projectSend r1605 is a PHP-based web application used for project tracking and team collaboration. The fact that this vulnerability exists in a widely used tool underscores the importance of input sanitization and output validation.

Recommended Fixes:

  • Input Sanitization: All user input fields (e.g., name, description) should be sanitized before being stored or exported.
  • CSV Output Encoding: When exporting data to CSV, ensure that any cell content starting with =, +, -, or @ is prefixed with a single quote (') to prevent formula interpretation.
  • Content Validation: Implement checks to detect and block suspicious patterns in exported data.

For example, a corrected implementation would wrap potentially dangerous content like this:

'=calc|a!z|

By prefixing the payload with a single quote, Excel treats it as plain text, preventing execution.

Best Practices to Prevent CSV Injection

Security experts recommend adopting the following practices:

Practice Description
Always quote dangerous content Prefix any value starting with =, +, -, or @ with ' in CSV exports.
Use secure export libraries Utilize libraries like PHPExcel or Spout that automatically handle formula escaping.
Validate exported data Perform a pre-export scan for suspicious patterns.
Restrict export permissions Only allow trusted users to export sensitive logs or data.

Conclusion: A Wake-Up Call for Developers

The projectSend r1605 CSV injection flaw is a stark reminder that seemingly innocuous features—like user name fields and CSV exports—can become critical attack vectors. Developers must treat all user input with suspicion, especially when it is exported to formats that are interpreted by external applications.

As cybersecurity threats evolve, understanding and mitigating such low-level vulnerabilities is essential. Proper input validation, secure output formatting, and awareness of how applications interpret data are foundational to building resilient systems.