Choose language:
Pratite nas:
back

CSV Excel Macro Injection in Password Manager Pro

09.03.2020

After exposing the CSRF vulnerability, here we are with one more; this time the problem is in export function that allows injection of malicious payload in the input field

Once again, Luka Sikic, one of the tallest pen testers we ever had at Infigo IS, found a vulnerability in web app Password Manager Pro. Specifically, it is CSV Excel Macro Injection identified in export function of beforementioned app.
The thing is, in theory, quite simple – the attacker injects malicious code in the input field. After the app exports it to the CSV the victim opens the document, which in turn executes malicious formula. Our example executed Calculator app when loaded into Excel 2016, but as you can see, the danger is far greater than that. Especially since it's program dependent so for example you can make LibreOffice do local files data exfiltration.
 
Unfortunately, although we provided the developer of the Password Manager Pro with mitigation proposal, security engineers at Zoho, developer of Password Manager Pro, deem that this is a problem with CSV format and that application that reads the file (like Microsoft Excel) should show a warning – in other words, problem is on the import side, not on the export.
Well, what can you do? If you want to skim through CVE, you can do that here.