Hustoj CSV Injection Vulnerability in Contest Rank Export Leading to Remote Code Execution

A CSV injection vulnerability, also known as formula injection, has been identified in Hustoj, an open-source online judge platform. All versions are affected. The vulnerability arises in the contest rank export functionality, specifically in the files 'contestrank.xls.php' and 'admin/ranklist_export.php'. The application does not properly sanitize user input in the 'Nickname' field before exporting it to an .xls file, which is rendered as an HTML table but opened in Excel. This lack of input validation allows a malicious user to inject an Excel formula, which, when the rank list is exported and opened in Microsoft Excel, gets executed. This could result in arbitrary command execution on the administrator's machine or data exfiltration.

Impact

Exploitation of this vulnerability allows for CSV injection, where injected formulas are executed when the exported file is opened in Microsoft Excel. This could lead to arbitrary command execution on the administrator's machine or unauthorized data access.

Reproduction

To reproduce this vulnerability, register a new user account and change the Nickname to a malicious payload, such as an Excel formula designed to execute a command, like launching the calculator application. After submitting a solution to a contest to appear in the rank list, log in as an administrator, export the rank list, and open the downloaded file in Microsoft Excel. The injected formula will be executed, demonstrating the vulnerability.

Remediation

Sanitize the 'Nickname' input by prepending a single quote if the data begins with formula triggers. This can be done by checking the first character of the nickname for '=', '+', '-', or '@' and adding a single quote before the nickname when exporting the data.