filmov
tv
CSV Command Injection In Twitter
Показать описание
Twitter allows users to export analytics of there tweets as a CSV file. By injecting a payload into a Tweet
Create a new tweet with the command -2+3+cmd|' /C calc'!D2.
Click on Export Data on the top-right of the page. (I've attached that file).
Open the .CSV file on a Windows machine.
Possible Fix:
Prefix =, +, - and @ symbols with a ' in issues when exporting them to a .CSV file.
Ensure all fields are properly "escaped" before returning the CSV file to the user.
This report is reported to Twitter via HackerOne in October 2018. They closed this report as in informative but the problem still exists here because Excel needs to handle this.
I write more at Muhaddis.Info
LinkedIn, Twitter, Facebook, Instagram: @MuhaddiMu
Create a new tweet with the command -2+3+cmd|' /C calc'!D2.
Click on Export Data on the top-right of the page. (I've attached that file).
Open the .CSV file on a Windows machine.
Possible Fix:
Prefix =, +, - and @ symbols with a ' in issues when exporting them to a .CSV file.
Ensure all fields are properly "escaped" before returning the CSV file to the user.
This report is reported to Twitter via HackerOne in October 2018. They closed this report as in informative but the problem still exists here because Excel needs to handle this.
I write more at Muhaddis.Info
LinkedIn, Twitter, Facebook, Instagram: @MuhaddiMu
0:01:39
0:07:14
0:03:41
0:02:22
0:31:07
0:00:32
0:02:02
0:01:46
0:00:29
0:03:00
0:02:31
0:01:00
0:01:28
0:01:02
0:01:10
0:01:23
0:07:56
0:04:06
0:03:21
0:05:18
0:00:28
0:04:22
0:10:17
0:13:27