Skip to content

Raw SVG loading may lead to complete data compromise from admin page

High
dantownsend published GHSA-pmww-v6c9-7p83 Mar 30, 2024

Package

pip piccolo-admin (pip)

Affected versions

<= 1.2.0

Patched versions

1.3.2

Description

Summary

Piccolo's admin panel provides the ability to upload media files and view them within the admin panel. If SVG is an allowed file type for upload; the default; an attacker can upload an SVG which when loaded under certain contexts allows for arbitrary access to the admin page.

This access allows the following actions for example:

  • The ability for an attacker to gain access to all data stored within the admin page
  • The ability for an attacker to make any action within the admin page such as creating, modifying or deleting table records

As the SVG is executed from the context of an authenticated admin session, any actions they may be able to make can be made by the attacker.

N.b. The relevant session cookies are inaccessible from JavaScript due to httponly being set so all exploits must be present within the SVG file

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Currently, this requires the ability for a user to have access to an administrators account in order to upload the malicious file for simplicity sake. I can however imagine situations where general end users have the ability to upload files which can later be managed via the admin page.

See the following repository: Piccolo XSS

  1. Clone the repo
  2. Run all migrations & create an admin user
  3. Run app.py as a FastAPI application
  4. Login to the admin page
  5. Create a new task and upload the following file to see basic execution: payloads/basic_xss.svg
  6. Click the SVG to view it inline
  7. Click "Open image in new tab"
  8. Observe the XSS triggering

Fig 1: An example XSS payload executing
Example XSS

Extended PoC

This repo also includes an extended PoC which sends the Task table to an attacker controlled server.

  1. Run exhil_server.py as a FastAPI application
  2. Upload the following payload: payloads/exhil.svg
  3. Open the SVG in a new tab and observe the data being sent to the attacker controlled server

Fig 2: An example screenshot from the attacker controlled server showing incoming data
Example data sent to attacker server

Further, the repo includes a list of routes the admin panel exposes which could be used to automate table discovery and compromise in a more sophisticated PoC.

Impact

What kind of vulnerability is it? Who is impacted?

All applications with the following conditions present are affected:

  • An enabled admin panel
  • A model which features media upload that allows for SVG files

Further, if the site is behind a proxy of sorts it must not set the relevant security headers.

Further thoughts

While this issue has been raised against the piccolo_admin repository, it technically exists for all file uploads within a piccolo website if an end developer chooses to include the ability to view SVG files inline within their application. Further thought should likely be given to either or both of the following:

  • Ensuring the documentation for media handling includes some form of warning/recommendation relating to this. Ideally I think it should just provide an example of a code fix and link to security headers to test their own application
  • Modifying the Piccolo template generation to include the relevant security headers by default. These include things such as xss protection and a content security policy. This site is a great resource for testing the security headers set on a website

Given the need to allow end developers the freedom to allow for SVG upload, removing the ability to upload them entirely is likely out of the picture.

This could also be resolved by making attempts to view attachments in a new tab set the relevant content-disposition header and force the browser to download the file instead of rendering it inline of the website.

What are your thoughts on the approach to take to mitigate this?

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CVE ID

CVE-2024-30248

Weaknesses

No CWEs

Credits