Dear All, Our Security Team has identified a CSV injection vulnerability in Archer. Any malicious user who has archer access can inject code in a text field. If this record is exported in a CSV or Excel file by any other user, that script is running. Though we have multiple user reviews and validations in place, our security team believes that the application should not accept such inputs from the user where the data entered begins with a special character.
Has anyone else encountered this issue? How have you resolved this in your organization?
I appreciate any inputs on the same.
- Community Thread
- csv injection
- Forum Thread
- RSA Archer
- RSA Archer Suite
I have already raised a support ticket. Though we have got an initial response and have explained the issue to them, we are awaiting a detailed response. There is a KB article on the same but it does not provide any resolution for the vulnerability.
I wanted to know if any other user has faced a similar issue and also how they have mitigated it.
In this response, there is no resolution mentioned. The issue which our security team is stressing is that Archer is accepting CSV payload which is getting saved in the system. This data when exported in excel/CSV results in the exploitation of the vulnerability.
In our ticket raised with the support, we have raised the same concern that data validation is required at the Input stage which happens in Archer.
How can we resolve this issue is what we would like to understand.
Our Engineering and security team, at this point in time, has taken the stance that CSV files when exported from Archer are harmless text files.
The issue only happens when those harmless text files are opened in other software applications that misinterpret the text data exported from Archer as something other than plaintext. If you're concerned about the behavior of these other applications when opening these text files, it's possible to configure Archer to block exporting from Archer in these formats that can be opened by other applications that may misinterpret the data in the file.
If you want to have some kind of input validation / filtering on data input into Archer so that when exported to plaintext CSV it does not cause issues in other software applications that may be used by users to open the files which then misinterpret the plaintext text data as something other than text, then that would be something for the RSA Archer ideas exchange.
We can hardly call a file harmless if the data is exported in the CSV and contains a script or payload which runs as soon as the CSV is opened. I am not referring to using that file in any other application. Just opening the CSV/Excel file can trigger the script to run. How can we claim that data to be harmless?
Thanks for referring the Archer Ideas. I will create an idea there for this request.
You mentioned that we can configure archer in such a way to block the export of such data in such formats. How can we do that? Where should we make the change in configuration?
The CSV file exported from Archer is passive text data as per RFC-4180, even with this scenario reproduced. The problem is with applications that open the CSV file and interpret the passive text data of a CSV file as something other than passive text data.
With this scenario reproduced, you can open the file in notepad and confirm it yourself that it is only passive text data.
You can disable CSV in the Archer Control Panel's installation settings which has a tab for file creation restrictions whitelist/blacklist options.
Another option you may want to consider is limiting who can export data from your environment, which is something you define within your access roles.