SourceCodester Pharmacy Sales and Inventory System CSV Injection Vulnerability

A CSV injection vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System versions through 1.0. The issue arises in the supplier creation interface, specifically within the 'create_supplier' function of the '/Export_csv/export' file. The vulnerability allows for the injection of malicious formulas into CSV exports by exploiting unsanitized user input in fields such as 'Address', 'Company Name', 'Mobile', and 'Previous Due'. When the exported CSV file is opened in spreadsheet applications like Microsoft Excel or WPS Spreadsheet, these formulas are executed, potentially leading to unauthorized actions.

Impact

Exploitation of this vulnerability allows attackers to inject harmful formulas that are executed when the CSV file is opened, creating risks of data exfiltration, phishing attacks, and, in some cases, arbitrary command execution on the victim's machine.

Reproduction

To reproduce this vulnerability, log into the system and navigate to the supplier creation page. Inject a formula payload, such as '=1+1', into the 'Address' field. After saving the supplier, export the supplier list to CSV and open the file in WPS Spreadsheet. The injected formula will be executed, demonstrating the CSV injection. For proof of concept, a hyperlink payload can also be injected, which, when clicked in the exported CSV, exfiltrates data to an external server.

Remediation

To address this vulnerability, sanitize CSV output by prefixing dangerous characters with a single quote or tab to treat them as plain text. Implement checks to block formula injection characters before writing data to CSV. Use secure CSV export headers and apply output encoding to all user-controllable fields before exporting. Regular security audits should also be conducted to identify and fix potential CSV injection vulnerabilities.