Snorby 2.6.2 Stored Cross-site Scripting Vulnerability

2015.07.05
Credit: Federico Fazzi
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

-------------------------------------------------------- Snorby 2.6.2 - Stored Cross-site Scripting Vulnerability -------------------------------------------------------- Vendor ------ https://www.snorby.org/ Version ------- 2.6.2 Description ----------- During my research and testing of new IDS (Intrusion Detection System) like Suricata, I've found a Stored Cross-site Scripting (XSS) vulnerability in Snorby (that I'd like to use as web user interface for suricata). The vulnerability exists in the module for adding a new threat classification model where the user input is not correctly sanitized before being saved it on the database or for example the output is not properly filtered, before its rendering in the event/menu code, in this way the vector gets executed. Vulnerability ------------- The output from the page snorby/app/views/events/_menu.html.erb is not properly sanitized before its rendering: --_menu.html.erb-- <% @classifications.each do |cls| %> <% if cls.locked && cls.hotkey %> <%= drop_down_item "#{cls.name}#{cls.shortcut}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %> <% else %> <%= drop_down_item "#{cls.name}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %> <% end %> <% end %> --end-- Mitigation ---------- A simple XSS mitigation on rails could be the usage of the sanitize, for example the code below filters the xss vector by removing the onerror attribute from the image tag: --_menu.html.erb-- <% @classifications.each do |cls| %> <% if cls.locked && cls.hotkey %> <%= drop_down_item "#{sanitize cls.name}#{cls.shortcut}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %> <% else %> <%= drop_down_item "#{sanitize cls.name}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %> <% end %> <% end %> --end-- Solution -------- Update to the latest version on Github. Disclosure ---------- 30-06-2015 – Vendor notification (https://github.com/Snorby/snorby/issues/377) 30-06-2015 – CVE id requested 01-07-2015 - Vendor acknowledgement 01-07-2015 - Vendor pushed a fix (commit-id: https://github.com/Snorby/snorby/commit/89d7cbcd3697c8a842f1a61b99e9a78f295798fb) Credits ------- Federico Fazzi - federico.fazzi () gmail com Web: http://deftcode.ninja -- Federico Fazzi Mobile: +39 345 2327231 <tel:+3934%202327231> http://deftcode.ninja

References:

https://github.com/Snorby/snorby/commit/89d7cbcd3697c8a842f1a61b99e9a78f295798fb
https://github.com/Snorby/snorby/issues/377


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top