lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 03 Jul 2015 10:59:51 +0200 From: Federico Fazzi <federico.fazzi@...il.com> To: bugtraq@...urityfocus.com Subject: Snorby 2.6.2 - Stored Cross-site Scripting Vulnerability -------------------------------------------------------- Snorby 2.6.2 - Stored Cross-site Scripting Vulnerability -------------------------------------------------------- Vendor ------ https://www.snorby.org/ Version ------- 2.6.2 Description ----------- During my research and testing of new IDS (Intrusion Detection System) like Suricata, I've found a Stored Cross-site Scripting (XSS) vulnerability in Snorby (that I'd like to use as web user interface for suricata). The vulnerability exists in the module for adding a new threat classification model where the user input is not correctly sanitized before being saved it on the database or for example the output is not properly filtered, before its rendering in the event/menu code, in this way the vector gets executed. Vulnerability ------------- The output from the page snorby/app/views/events/_menu.html.erb is not properly sanitized before its rendering: --_menu.html.erb-- <% @classifications.each do |cls| %> <% if cls.locked && cls.hotkey %> <%= drop_down_item "#{cls.name}#{cls.shortcut}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %> <% else %> <%= drop_down_item "#{cls.name}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %> <% end %> <% end %> --end-- Mitigation ---------- A simple XSS mitigation on rails could be the usage of the sanitize, for example the code below filters the xss vector by removing the onerror attribute from the image tag: --_menu.html.erb-- <% @classifications.each do |cls| %> <% if cls.locked && cls.hotkey %> <%= drop_down_item "#{sanitize cls.name}#{cls.shortcut}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %> <% else %> <%= drop_down_item "#{sanitize cls.name}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %> <% end %> <% end %> --end-- Solution -------- Update to the latest version on Github. Disclosure ---------- 30-06-2015 – Vendor notification (https://github.com/Snorby/snorby/issues/377) 30-06-2015 – CVE id requested 01-07-2015 - Vendor acknowledgement 01-07-2015 - Vendor pushed a fix (commit-id: https://github.com/Snorby/snorby/commit/89d7cbcd3697c8a842f1a61b99e9a78f295798fb) Credits ------- Federico Fazzi - federico.fazzi@...il.com Web: http://deftcode.ninja -- Federico Fazzi Mobile: +39 345 2327231 <tel:+3934%202327231> http://deftcode.ninja
Powered by blists - more mailing lists