This is one of the low risk bug which was found in Sahi Pro. Reports web interface allows a user to export the executed automation scripts/suite in excel format. It is possible to inject the excel formula which results in command execution on the victim who exports it .
Proof of concept :
excel formulas can be injected inside the sahi script as shown previously with stored XSS inside a testcase API as follows.
script used :
var $tc1 = _testcase(“TC-1″,”=SUM(1+1)*cmd|’ /C calc’!A0”).start();
_log(“testing csv injection”);
$tc1.end();
Execute the following sahi script and take export of the report as follows :
Fig : executed sahi script with formula injection.
Fig : victim opens the file and clicks yes on warning and the code executes on victim machine .
Disclosure timeline :
Notified on : 8 / December / 2018
Affected versions : all versions of sahi pro ( <= 8.x ) (web application automation )
vendor website : https://sahipro.com/