WordFence Alerts Critical for Vulenrability

Tobias and others,

I recently had several emails with WordFence and they just provided me with a new URL that states the vulnerability still exists in v.1.14. In reading the report (link and content below), it appears that the problem is:

1. Limited to someone with administrator access.
2. When an administrator EXPORTs a CSV file from TablePress and then downloads it, that CSV file can include unsafe formulas.

It seems to me the only way this could be a problem would be is if the administrator (1) modified a field in TablePress and then (2) downloaded the CSV file and then (3) imported the CSV into Excel.

It seems to me like the example given could not be any more unsafe than the original spreadsheet formula: [(1) Export a CSV from Excel, (2) Import the CSV into Tablepress, (3) Export from TablePress to CSV, and (4) Import the CSV to Excel]. This process would only end up re-importing a formula that (1) was in the original Excel file (2) and would not, to my knowledge, be used in any way by TablePress.

Anyway, I agree that, while the report may be technically accurate, the hoops needed to jump through to cause a problem are numerous. I saw Tobias suggest one fix was to prevent the import of a CSV field with a formula, but expressed concern that then the administrator would lose the formula on export from TablePress. I have a really difficult time believing this would be a real problem. I mean, who actually works like that?

Anyway, my comfort level is now fine using it as is, but I also think that a mod to strip formulas from CSV files on import would be a helpful modification (or option).

Mark Hunnibell

https://www.exploit-db.com/exploits/50270

# Exploit Title: WordPress Plugin TablePress 1.14 - CSV Injection 
# Date: 07/09/2021
# Exploit Author: Nikhil Kapoor
# Vendor Homepage:
# Software Link: https://www.ads-software.com/plugins/tablepress/
# Version: 1.14
# Category: Web Application
# Tested on Windows

How to Reproduce this Vulnerability:

1. Install WordPress 5.8.0
2. Install and activate TablePress
3. Navigate to TablePress >> Add New >> Enter Table Name and Description (If You want this is Optional) >> Select Number of Rows and Columns
4. Click on Add Table
5. Now in Table Content Input Field Enter CSV Injection Payload
6. Click on Save Changes
6. Now go to All Table in TablePress select our entered table >> Click on Export >> Select CSV as an Export Format.
7. Click on Download Export File
8. Open the exported CSV file you will see that CSV Injection got Successfully Executed.

Payload Used :- @SUM(1+9)*cmd|' /C calc'!A0

Hi @markhunnibell,

1. Limited to someone with administrator access.

In theory, Administrators, Editors, and Authors can be affected, as these are the user roles that have the access rights to export a TablePress table to a file.

I saw Tobias suggest one fix was to prevent the import of a CSV field with a formula,

Almost ?? Not on import, but on export! The import of files into TablePress is irrelevant for the entire discussion here!

This is only about the functionality that TablePress can export a table (into which an attacker could have inserted a malicious formula — after already having obtained a user account on the site through a different hack!) to a CSV file.
For this to be dangerous, the victim would have to export that table to a CSV file, open that file in Excel, AND ignore explicit security warnings.
There is no risk to TablePress, WordPress, the site, or the server at all, as TablePress is only capable of evaluating safe math formulas (but not dangerous formulas that e.g. rely on calling command line scripts or load data from external sources).

Regards,
Tobias

Would it be possible to sanitize the formulas so these vulnerabilities are gone and an export is safe?

@tobiasbg Thanks for responding! The alert looked very odd and seemed old. I appreciate your diligence in getting to the bottom of it.

Hi @josklever,

that would be nice, but from everything I know and was able to research, there is no reliable way for such escaping ??

Regards,
Tobias

Tobias,

Perhaps you can add setting that would prefix any field value exported from TablePress to CSV file with a single ‘ (quotation mark). I believe that ‘ would disable the functionality of any formula in a CSV that was imported into Excel (as long as it was not matched at the end of the field with a closing ‘). Maybe that’s the default with some option to allow export of the unedited formulas? Of course, you could also add some info to the documentation about this “issue” to identify why it would only be an issue if an administrator did a number of unsafe things in exactly the right order.

Mark

Hi @markhunnibell,

I have considered that, but it would also affect legitimate math formulas. These would then no longer work either (even though that would be desired). The user would manually have to remove the ' from all formulas again. And even when re-importing such a file into TablePress, the question would come up as to what to do: That ' might have been added on purpose, to explicitly show a formula as text (I do that on https://tablepress.org/tablepress-features-formulas/ for example, to show the used formula).
Escaping can only be a good option if it doesn’t alter the data (as that would break the CSV format’s use for backups and data exchange), but only serves as a “switch” to toggle formula evaluation off — but that escaping doesn’t exist, to my knowledge ??

Regards,
Tobias

Hello,

I am having the same problem. If I understand correctly, TablePress does not have a security issue and the problem is mainly with Excel that is misinterpreting the content of a CSV file. Is that correct?

Also, does this mean we can ignore this alert?

Thanks in advance.

Hi @convospanish,

correct. There is no security issue in TablePress, but a security problem might arise if someone deliberately ignores an explicit security warning when opening a CSV file in Excel.
In my opinion, you can therefore ignore this alert.

Best wishes,
Tobias

Thanks @tobiasbg

Same problem here. Do you all just check “IGNORE” on Wordfence?

Yeah, I set mine to ignore for now.

Hi @ks9090,

yes, ignoring this would be my recommendation as well.

Regards,
Tobias

Ignoring is a temporary option, because we would like to get notified if there’s a new issue detected. So I hope there’s some progress handling the CVE?

Hi,

ah, my bad. I had thought this is for ignoring this specific notification.

I have contested the CVE entry with MITRE (the organization that mains the vulnerability database), but haven’t received any reply from them yet, since Friday. :-/

Regards,
Tobias