# Exploit Title: Workday - CSV Injection
# Exploit Author: sinfosec
2019-06-04
Product & Service Introduction:
===============================
Workday, Inc. is an on‑demand financial management and human capital management software vendor
It is designed latest security and code standards and it is ready for high availability web sites.
Impact
======
Arbitrary formulas can be injected into CSV/Excel files.
This can potentially lead to remote code execution at the client (DDE) or data leakage via maliciously injected hyperlinks.
Proof of Concept
============
In order to exploit this vulnerability, the attacker needs to insert an Excel formula into any of the contact form fields available. If an administrator/hr chooses to export this file as Excel/CSV file, the file will contain the formula. If he then opens the file and accesses the shell, the formula will be calculated.
Example:
=rundll32|'URL.dll,OpenURL calc.exe'!A
Solution
========
The plugin should escape fields starting with '=' when it exports data to CSV or Excel formats.
# Exploit Author: sinfosec
2019-06-04
Product & Service Introduction:
===============================
Workday, Inc. is an on‑demand financial management and human capital management software vendor
It is designed latest security and code standards and it is ready for high availability web sites.
Impact
======
Arbitrary formulas can be injected into CSV/Excel files.
This can potentially lead to remote code execution at the client (DDE) or data leakage via maliciously injected hyperlinks.
Proof of Concept
============
In order to exploit this vulnerability, the attacker needs to insert an Excel formula into any of the contact form fields available. If an administrator/hr chooses to export this file as Excel/CSV file, the file will contain the formula. If he then opens the file and accesses the shell, the formula will be calculated.
Example:
=rundll32|'URL.dll,OpenURL calc.exe'!A
Solution
========
The plugin should escape fields starting with '=' when it exports data to CSV or Excel formats.
Good find! Does Workday still have a bug bounty program or he doesn't anymore? Because I didn't find anything on their website.
ReplyDelete