CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
9.0%
Piccolo’s admin panel provides the ability to upload media files and view them within the admin panel. If SVG is an allowed file type for upload; the default; an attacker can upload an SVG which when loaded under certain contexts allows for arbitrary access to the admin page.
This access allows the following actions for example:
As the SVG is executed from the context of an authenticated admin session, any actions they may be able to make can be made by the attacker.
N.b. The relevant session cookies are inaccessible from JavaScript due to httponly being set so all exploits must be present within the SVG file
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Currently, this requires the ability for a user to have access to an administrators account in order to upload the malicious file for simplicity sake. I can however imagine situations where general end users have the ability to upload files which can later be managed via the admin page.
See the following repository: Piccolo XSS
app.py
as a FastAPI applicationpayloads/basic_xss.svg
Fig 1: An example XSS payload executing
This repo also includes an extended PoC which sends the Task
table to an attacker controlled server.
exhil_server.py
as a FastAPI applicationpayloads/exhil.svg
Fig 2: An example screenshot from the attacker controlled server showing incoming data
Further, the repo includes a list of routes the admin panel exposes which could be used to automate table discovery and compromise in a more sophisticated PoC.
What kind of vulnerability is it? Who is impacted?
All applications with the following conditions present are affected:
Further, if the site is behind a proxy of sorts it must not set the relevant security headers.
While this issue has been raised against the piccolo_admin
repository, it technically exists for all file uploads within a piccolo website if an end developer chooses to include the ability to view SVG files inline within their application. Further thought should likely be given to either or both of the following:
Given the need to allow end developers the freedom to allow for SVG upload, removing the ability to upload them entirely is likely out of the picture.
This could also be resolved by making attempts to view attachments in a new tab set the relevant content-disposition header and force the browser to download the file instead of rendering it inline of the website.
What are your thoughts on the approach to take to mitigate this?
Vendor | Product | Version | CPE |
---|---|---|---|
piccolo-orm | piccolo | * | cpe:2.3:a:piccolo-orm:piccolo:*:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
9.0%