Summary
Piccolo's admin panel provides the ability to upload media files and view them within the admin panel. If SVG is an allowed file type for upload; the default; an attacker can upload an SVG which when loaded under certain contexts allows for arbitrary access to the admin page.
This access allows the following actions for example:
- The ability for an attacker to gain access to all data stored within the admin page
- The ability for an attacker to make any action within the admin page such as creating, modifying or deleting table records
As the SVG is executed from the context of an authenticated admin session, any actions they may be able to make can be made by the attacker.
N.b. The relevant session cookies are inaccessible from JavaScript due to httponly being set so all exploits must be present within the SVG file
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Currently, this requires the ability for a user to have access to an administrators account in order to upload the malicious file for simplicity sake. I can however imagine situations where general end users have the ability to upload files which can later be managed via the admin page.
See the following repository: Piccolo XSS
- Clone the repo
- Run all migrations & create an admin user
- Run
app.py as a FastAPI application
- Login to the admin page
- Create a new task and upload the following file to see basic execution:
payloads/basic_xss.svg
- Click the SVG to view it inline
- Click "Open image in new tab"
- Observe the XSS triggering
Fig 1: An example XSS payload executing
Extended PoC
This repo also includes an extended PoC which sends the Task table to an attacker controlled server.
- Run
exhil_server.py as a FastAPI application
- Upload the following payload:
payloads/exhil.svg
- Open the SVG in a new tab and observe the data being sent to the attacker controlled server
Fig 2: An example screenshot from the attacker controlled server showing incoming data
Further, the repo includes a list of routes the admin panel exposes which could be used to automate table discovery and compromise in a more sophisticated PoC.
Impact
What kind of vulnerability is it? Who is impacted?
All applications with the following conditions present are affected:
- An enabled admin panel
- A model which features media upload that allows for SVG files
Further, if the site is behind a proxy of sorts it must not set the relevant security headers.
Further thoughts
While this issue has been raised against the piccolo_admin repository, it technically exists for all file uploads within a piccolo website if an end developer chooses to include the ability to view SVG files inline within their application. Further thought should likely be given to either or both of the following:
- Ensuring the documentation for media handling includes some form of warning/recommendation relating to this. Ideally I think it should just provide an example of a code fix and link to security headers to test their own application
- Modifying the Piccolo template generation to include the relevant security headers by default. These include things such as xss protection and a content security policy. This site is a great resource for testing the security headers set on a website
Given the need to allow end developers the freedom to allow for SVG upload, removing the ability to upload them entirely is likely out of the picture.
This could also be resolved by making attempts to view attachments in a new tab set the relevant content-disposition header and force the browser to download the file instead of rendering it inline of the website.
What are your thoughts on the approach to take to mitigate this?
Summary
Piccolo's admin panel provides the ability to upload media files and view them within the admin panel. If SVG is an allowed file type for upload; the default; an attacker can upload an SVG which when loaded under certain contexts allows for arbitrary access to the admin page.
This access allows the following actions for example:
As the SVG is executed from the context of an authenticated admin session, any actions they may be able to make can be made by the attacker.
N.b. The relevant session cookies are inaccessible from JavaScript due to httponly being set so all exploits must be present within the SVG file
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Currently, this requires the ability for a user to have access to an administrators account in order to upload the malicious file for simplicity sake. I can however imagine situations where general end users have the ability to upload files which can later be managed via the admin page.
See the following repository: Piccolo XSS
app.pyas a FastAPI applicationpayloads/basic_xss.svgFig 1: An example XSS payload executing
Extended PoC
This repo also includes an extended PoC which sends the
Tasktable to an attacker controlled server.exhil_server.pyas a FastAPI applicationpayloads/exhil.svgFig 2: An example screenshot from the attacker controlled server showing incoming data
Further, the repo includes a list of routes the admin panel exposes which could be used to automate table discovery and compromise in a more sophisticated PoC.
Impact
What kind of vulnerability is it? Who is impacted?
All applications with the following conditions present are affected:
Further, if the site is behind a proxy of sorts it must not set the relevant security headers.
Further thoughts
While this issue has been raised against the
piccolo_adminrepository, it technically exists for all file uploads within a piccolo website if an end developer chooses to include the ability to view SVG files inline within their application. Further thought should likely be given to either or both of the following:Given the need to allow end developers the freedom to allow for SVG upload, removing the ability to upload them entirely is likely out of the picture.
This could also be resolved by making attempts to view attachments in a new tab set the relevant content-disposition header and force the browser to download the file instead of rendering it inline of the website.
What are your thoughts on the approach to take to mitigate this?