TrueConf Server CSV Formula Injection Vulnerability Allowing Code Execution

A CSV formula injection vulnerability has been identified in TrueConf Server version 5.5.2.10813. This vulnerability allows users to inject malicious spreadsheet formulas into exported chat logs by manipulating the Display Name. The issue arises because user input is directly written into CSV exports without proper sanitization. When the CSV file is opened in a spreadsheet application that evaluates formulas, the injected payloads can execute automatically, potentially leading to code execution or unauthorized data access.

Impact

Exploitation of this vulnerability allows for arbitrary formula execution in the context of the user opening the CSV file, with the potential for code execution or information disclosure, depending on the nature of the injected formula.

Reproduction

To reproduce this vulnerability, set the user Display Name to include a malicious formula, such as one that executes a command. After joining a conference and sending messages, an administrator can export the chat messages to a CSV file. When the exported CSV file is opened in a spreadsheet application that interprets formulas, the injected formula is evaluated and executed.

Remediation

Users are advised to escape or filter Display Name inputs that begin with characters commonly used to initiate spreadsheet formulas, such as '=', '+', '-', '@', or '|', before including them in CSV exports. Alternatively, prefixing these values with a single quote can prevent the execution of the formulas.