Описание
NiceGUI apps which use ui.sub_pages vulnerable to zero-click XSS
Summary
An unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe.
Details
The problem is traced as follows:
- On
pushstate,handleStateEventis executed.
handleStateEventemitssub_pages_openevent.
SubPagesRouter(used byui.sub_pages), lisnening onsub_pages_open,_handle_openruns.
_handle_openfinds anySubPagesand runs_show()on them
- If the if-logic is followed or debug prints are added, it can be found that it calls
self._handle_scrolling(match, behavior='smooth')directly
- CULPRIT
_handle_scrollingruns_scroll_to_fragmentas there is a fragment, which runs vulnerable JS if thefragment(attacker-controlled) escapes out of the quotes.
PoC
Just visiting this page (no click required), consistently triggers XSS in https://nicegui.io domain.
Impact
Any page which uses ui.sub_pages and does not actively prevent itself from being put in an iframe is affected.
The impact is high since by-default NiceGUI pages are iframe-embeddable with no native opt-out functionalities except by manipulating the underlying app via FastAPI methods, and that ui.sub_pages is actively promoted as the new modern way to create Single-Page Applications (SPA).
Patch
- Not use
ui.sub_pages - Block iframe with the following code
Appendix
AI is used safely to judge the CVSS scoring (input is censored).
Please find the results in https://poe.com/s/3FXuwp7TAYxqLomARXma
Scoring update after manual review
The scoring done by AI was quite biased. Upon further review it is less dramatic.
- User Interaction None: There's almost no interaction required, and none of the interaction is with the vulnerable system.
- Confidentiality & Integrity Low: The extent of data confidentiality & integrity loss is bounded by the highest priviledged user in the entire NiceGUI application. There does not exist a means of performing data manipulating tasks that said admin cannot already do.
- Availability None: No DDoS is possible with this. Site remains performant as ever.
Пакеты
nicegui
>= 2.22.0, <= 3.4.1
3.5.0
Связанные уязвимости
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0.