This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

CSV Injection

From OWASP
Revision as of 08:04, 23 September 2015 by Timo.goosen (talk | contribs) (Created page with "CSV Excel Macro Injection also known as CEMI. Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many use...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

CSV Excel Macro Injection also known as CEMI.

Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel,Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.

More info, probably first report of its kind:

This attack exploits the trust of the user in two ways: 1. The user trusts the site that the content is coming from. 2. The user assumes that it is only a csv file and that it won't contain functions or macro's and won't care about any warnings from Excel about potential malicious functionality in the file.

Retrieved from "https://wiki.owasp.org/index.php?title=CSV_Injection&oldid=201000"