Stored XSS in Django Admin Portal in django-treebeard/django-treebeard
Reported on
Sep 29th 2022
Description
Django-treebeard suffers from a stored XSS in the TreeAdmin class when certain preconditions are met. The XSS it's triggered when a privileged user visit a page in the django admin portal. In order to successfully exploit this vulnerable, three pre-conditions should occur:
- (1) a Django model subclasses
AL_Nodeclass fromtreebeard.al_tree - (2) the Django model is registered to the admin panel using treebeard's TreeAdmin class
- (3) The attacker should be able to write data in a model field that returns in the
__str__method of the model.
In order to better understand the prerequisites, please follow the proof of concept below.
Proof of Concept
In order to re-create a vulnerable scenario, first create a model , called for example Project, that subclass AL_Node and returns a model's field in the __str__ method of the model :
# models.py
from django.db import models
from treebeard.al_tree import AL_Node
class Project(AL_Node):
parent = models.ForeignKey('self',
on_delete=models.CASCADE,
related_name='children_set',
verbose_name=('Father'),
blank=True,
null=True,
db_index=True)
name = models.CharField(max_length=100)
node_order_by = ['name', ]
def __str__(self) -> str:
return self.name
Then, register the model "Project" to the Django admin site using treebeard's TreeAdmin:
from django.contrib import admin
from core.models import Project
from treebeard.admin import TreeAdmin
admin.site.register(Project, TreeAdmin)
Now let's suppose an attacker is able to create a project with an arbitrary name, for example: <script>alert(1)</script> to it.
Now, when an administrator visit the model list page in the Django admin site, the payload gets executed thus causing a stored XSS.
This stored appens due to improper sanitization appening on https://github.com/django-treebeard/django-treebeard/blob/70fd011f5a3bc7fe21653cbdba2c7d6e931aaec2/treebeard/templatetags/admin_tree_list.py#L27 , the str(node) parameter is in fact marked as safe when, in my opinion, it shouldn't as there is a chance it will contains user input.
Impact
If successfully exploited , an attacker is able to inject arbitrary javascript code that gets stored in the database and executed when an administrator visit the list of entries of the affected model.
SECURITY.md
6 months ago
Hey @admin, thank you. It's possible to get a CVE assigned for this? thanks!
@solarissmoke - hey Samir, thank you for your hard work and dedication to maintaining secure and reliable code.
As Djangotreebeard it's widely used library and I found this vuln in a real penetration test. Having a CVE can greatly assist other developers in identifying if they are affected by the issue.
Huntr , as a CNA, can assign the CVE in a matter of minutes.
If you prefer not to, don't worry. Anyway, thanks for your work.
CVE assignment is in the hands of the maintainer, they have the option to assign one during the publication process:)