Product detail

Affected product: iTOP
Affected version: 3.1.0-2-11973
Affected component: export-v2.php & ajax.render.php

CSV injection in export as csv function in 'export-v2.php' and 'ajax.render.php' in Combodo Top version 3. 1.0-2-11973, which allows malicious user injects a malicious Excel command, such as DDE, which opens a program like CMD or PowerShell in order to perform other actions, such as downloading a malicious DLL file or connecting to a C2 server with system privileges via export as csv function.

Prerequisite

Install iTop from official Combodo Github repository GitHub page

iTOP version 4.0.3 released on Aug 9


Installed iTOP version 3.1.0-2


Exploitation

1. Go to contact page
2. Create a new person

3. Insert CSV command in the first name and last name field

=cmd|' /C notepad'!'A1' =cmd|' /C cmd.exe'!'A1'

As seen in the gif below, when the victim exports to CSV and opens it, the DDE command gets executed, opening programs such as Notepad or CMD



DDE commands are not sanitized