Can ClamAV detect CSV Injection?

Question

I'm allowing users to upload CSV files. Other users can download these files. I'm aware that CSV could be an attack vector.

Would a ClamAV (or other AV) scan offer protection against such a file?

Any scan would happen only after validating the MIME type.

Have you already tried it yourself? Or searched in the ClamAV documentation? — Sjoerd, Mar 12 '19 at 12:56
The question is also posted here: https://stackoverflow.com/questions/55067124/can-clamav-detect-csv-injection — LLub, Mar 12 '19 at 20:10

score 5 · Accepted Answer · answered Mar 12 '19 at 18:33

5

ClamAV has, as far as I know, no specific detection features for CSV files. CSV injection is not a vulnerability that an AV would resolve directly. Instead, an AV may detect known malicious macro payloads that were injected into a file, regardless of the file type.

If you want to know about specific detection features, I suggest talking to the ClamAV maintainers. For now, I recommend following OWASP's advice on filtering: do not allow any cell to start with -, +, =, or @.

answered Mar 12 '19 at 18:33

Polynomial

132,208
43
298
379

2

I found you need to bypass the following characters: '=', '+', '-', '@', '|', '%'. Otherwise your filter can be bypassed. See: https://hackerone.com/reports/223999 – LLub Mar 12 '19 at 19:58
@Refineo Good to know. – Polynomial Mar 12 '19 at 23:36

Can ClamAV detect CSV Injection?

1 Answers1