Cross-site Scripting (XSS) - Stored in picocms/Pico

[PhrozenByte]

Reported by @x3rz via email on 2021-06-21 20:57 CEST

→ Please refer to huntr.dev for the full report

---

✍️ Description

Stored XSS vulnerability found due to improper sanitization of markdown files.

🕵️‍♂️ Proof of Concept

Steps to reproduce:
1. Setup the picocms.
2. Make md file and write:
[XSS](javascript:window.onerror=confirm;throw%201337)
[CaseInsensitive](JaVaScRiPt:alert('XSS'))
[URL](javascript://www.google.com%0Aalert('U_XSS'))
3. You will see on clicking on each XSS will get triggered

💥 Impact

This vulnerability is capable of executing malicious javascript on anyone who visiting picocms based website.

Related Issue

• https://github.com/picocms/Pico/issues/590

References

• https://github.com/picocms/Pico/blob/d8470f9f5cee881390103cab441aed7301dd5e15/lib/PicoTwigExtension.php#L72

[PhrozenByte]

Comment by @PhrozenByte

---

Thank you for your report! :+1:

I'm afraid this is intended behaviour and no security issue, because the Markdown contents aren't user-controllable input.

Pico https://github.com/picocms/Pico is a content management system (CMS), allowing users to create their own websites. There's no built-in user management, thus only one user with full file access to the webserver (i.e. "the administrator") is capable of editing contents, usually using e.g. SSH or FTP. Non-privileged users can't edit content files, especially not via HTTP(S).

This is different from Pico CMS for Nextcloud https://github.com/nextcloud/cms_pico, which actually allows arbitrary, non-privileged users of the Nextcloud installation to create their own websites. For this reason Pico CMS for Nextcloud includes a XSS protection using HTMLPurifier.

Waiting for your response before marking this as invalid and publishing your findings on GitHub. Thanks again for your research! :+1:

Greetings Daniel Rudolf @PhrozenByte https://github.com/PhrozenByte

[PhrozenByte]

Comment by @x3rz (Researcher)

---

Thank you for your response I agree with your point of view and I also understand that it could impact only when the admin injects any malicious javascript in markdown files. So my whole point to report was that malicious admin could misuse intentional behavior of picoCMS which could lead to the execution of malicious javascript on viewers end which is not good and also a rare case but very impactful. So I suggest you implement XSS protection on this one also as it is in the nextcloud version or by using any other library.

[PhrozenByte]

Comment by @PhrozenByte

---

I honestly don't see how this would improve security? Admins have full control over their webspace anyway, they can change their themes (Twig templates) to include arbitrary contents, they can edit any PHP file to include arbitrary contents. CWE-79 doesn't apply, because Markdown files are no user-supplied content for Pico websites, only webserver admins can edit these files - just like with any other CMS.

[PhrozenByte]

Comment by @x3rz (Researcher)

---

Let's take a scenario Admin knows that if he embeds js in markdown file then it will get executed by which he/she can do all the potential things that could happen via stored XSS as it is not sanitizing the markdown file content. So anyone who gonna visit his/her page which contains XSS payload will get executed in the users/viewers browser. The attack can be prevented if you add markdown sanitization.

[PhrozenByte]

Comment by @PhrozenByte

---

I don't doubt that this is possible, it definitely is, but how does sanitization improve security here? Let's imagine we'd add HTMLPurifier, how do we prevent the same person to simply edit the Twig template, or even index.php, to include the malicious contents instead? The webserver admin could also simply remove HTMLPurifier again. This is like building a garden gate without a fence.

Thus I disagree that this is a security issue, neither can Pico nor any other CMS prevent this from happening. Webserver admins have full control over what is being served by design. Please keep in mind that Pico is a single-user, user = webserver admin CMS.

I very much appreciate your research and a huge thank you for the heads up! :heart:

Since we both agree that there's no immediate threat, I'll publish this conversation on GitHub (as stated in Pico's SECURITY.md) and mark this as invalid for now. Nevertheless I'm open for new arguments on this.

[PhrozenByte]

@PhrozenByte invalidated this vulnerability

---

Markdown contents aren't user-controllable input on Pico, but editable by the webserver admin only