Hi, a recent penetration test from one of our customers reported a csv script issue. There are more details at http://georgemauer.net/2017/10/07/csv-injection.html.
They triggered it using our flexmonster export. Is there any built in way to sanitize the flexmonster exports?
CSV Excel Macro Injection, also known as Formula Injection or CSV Injection, is an attack technique which exploits the “Export to Spreadsheet” function and can be used to compromise your viewer’s computer. The spreadsheets are dynamically generated from input that is invalidated or unfiltered user input. This is not a vulnerability in Excel, LibreOffice or OpenOffice, but a vulnerability in every website that places active content from untrusted sources into spreadsheets.
Thank you for posting your question on our forum and for providing us with all the details.
We have just released the 2.6.9 version of Flexmonster that has a built-in prevention of formula injection (CSV injection) for export to Excel. It simply prevents the execution of the formulas in the exported Excel file.
We recommend you to update your component to the latest version. Here is the documentation article on how to update it: https://www.flexmonster.com/doc/updating-to-the-latest-version/
Please let me know if the issue is resolved after the update.