-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: [security] Fix persistent xss via link type attributes containin…
…g javascript:// links - low impact as it requires user interaction to trigger - as reported by João Lucas Melo Brasio from Elytron Security S.A. (https://elytronsecurity.com)
- Loading branch information
Showing
1 changed file
with
53 additions
and
51 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,58 +1,60 @@ | ||
<?php | ||
$sigDisplay = $object['value']; | ||
if ('attachment' == $object['type'] || 'malware-sample' == $object['type'] ) { | ||
if ($object['type'] == 'attachment' && isset($object['image'])) { | ||
if (extension_loaded('gd')) { | ||
$img = '<it class="fa fa-spin fa-spinner" style="font-size: large; left: 50%; top: 50%;"></it>'; | ||
$img .= '<img class="screenshot screenshot-collapsed useCursorPointer img-rounded hidden" src="' . $baseurl . '/attributes/viewPicture/' . h($object['id']) . '/1' . '" title="' . h($object['value']) . '" onload="$(this).show(200); $(this).parent().find(\'.fa-spinner\').remove();"/>'; | ||
echo $img; | ||
$sigDisplay = $object['value']; | ||
if ('attachment' == $object['type'] || 'malware-sample' == $object['type'] ) { | ||
if ($object['type'] == 'attachment' && isset($object['image'])) { | ||
if (extension_loaded('gd')) { | ||
$img = '<it class="fa fa-spin fa-spinner" style="font-size: large; left: 50%; top: 50%;"></it>'; | ||
$img .= '<img class="screenshot screenshot-collapsed useCursorPointer img-rounded hidden" src="' . $baseurl . '/attributes/viewPicture/' . h($object['id']) . '/1' . '" title="' . h($object['value']) . '" onload="$(this).show(200); $(this).parent().find(\'.fa-spinner\').remove();"/>'; | ||
echo $img; | ||
} else { | ||
$extension = explode('.', $object['value']); | ||
$extension = end($extension); | ||
$uri = 'data:image/' . strtolower(h($extension)) . ';base64,' . h($object['image']); | ||
echo '<img class="screenshot screenshot-collapsed useCursorPointer" src="' . $uri . '" title="' . h($object['value']) . '" />'; | ||
} | ||
} else { | ||
$extension = explode('.', $object['value']); | ||
$extension = end($extension); | ||
$uri = 'data:image/' . strtolower(h($extension)) . ';base64,' . h($object['image']); | ||
echo '<img class="screenshot screenshot-collapsed useCursorPointer" src="' . $uri . '" title="' . h($object['value']) . '" />'; | ||
$filenameHash = explode('|', h($object['value'])); | ||
if (strrpos($filenameHash[0], '\\')) { | ||
$filepath = substr($filenameHash[0], 0, strrpos($filenameHash[0], '\\')); | ||
$filename = substr($filenameHash[0], strrpos($filenameHash[0], '\\')); | ||
echo h($filepath); | ||
echo '<a href="' . $baseurl . '/attributes/download/' . h($object['id']) . '" class="' . $linkClass . '">' . h($filename) . '</a>'; | ||
} else { | ||
echo '<a href="' . $baseurl . '/attributes/download/' . h($object['id']) . '" class="' . $linkClass . '">' . h($filenameHash[0]) . '</a>'; | ||
} | ||
if (isset($filenameHash[1])) echo '<br />' . $filenameHash[1]; | ||
} | ||
} else if (strpos($object['type'], '|') !== false) { | ||
$separator = in_array($object['type'], array('ip-dst|port', 'ip-src|port')) ? ':' : '<br />'; | ||
$value_pieces = explode('|', $object['value']); | ||
foreach ($value_pieces as $k => $v) { | ||
$value_pieces[$k] = h($v); | ||
} | ||
$object['value'] = implode($separator, $value_pieces); | ||
echo ($object['value']); | ||
} else if ('vulnerability' == $object['type']) { | ||
$cveUrl = (is_null(Configure::read('MISP.cveurl'))) ? "http://www.google.com/search?q=" : Configure::read('MISP.cveurl'); | ||
echo $this->Html->link($sigDisplay, $cveUrl . $sigDisplay, array('target' => '_blank', 'class' => $linkClass)); | ||
} else if ('link' == $object['type'] && (substr($object['value'], 0, 7) === 'http://' || substr($object['value'], 0, 8) === 'https://')) { | ||
echo $this->Html->link($sigDisplay, $sigDisplay, array('class' => $linkClass)); | ||
} else if ('cortex' == $object['type']) { | ||
echo '<div class="cortex-json" data-cortex-json="' . h($object['value']) . '">Cortex object</div>'; | ||
} else if ('text' == $object['type']) { | ||
if (($object['category'] == 'Internal reference' || $object['category'] == 'External analysis') && preg_match('/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/i', $object['value'])) { | ||
echo '<a href="' . $baseurl . '/events/view/' . h($object['value']) . '" class="' . $linkClass . '">' . h($object['value']) . '</a>'; | ||
} else { | ||
$sigDisplay = str_replace("\r", '', h($sigDisplay)); | ||
$sigDisplay = str_replace(" ", ' ', $sigDisplay); | ||
echo $sigDisplay; | ||
} | ||
} else if ('hex' == $object['type']) { | ||
$sigDisplay = str_replace("\r", '', $sigDisplay); | ||
echo '<span class="hex-value" title="' . __('Hexadecimal representation') . '">' . h($sigDisplay) . '</span> <span role="button" tabindex="0" aria-label="' . __('Switch to binary representation') . '" class="icon-repeat hex-value-convert useCursorPointer" title="' . __('Switch to binary representation') . '"></span>'; | ||
} else { | ||
$filenameHash = explode('|', h($object['value'])); | ||
if (strrpos($filenameHash[0], '\\')) { | ||
$filepath = substr($filenameHash[0], 0, strrpos($filenameHash[0], '\\')); | ||
$filename = substr($filenameHash[0], strrpos($filenameHash[0], '\\')); | ||
echo h($filepath); | ||
echo '<a href="' . $baseurl . '/attributes/download/' . h($object['id']) . '" class="' . $linkClass . '">' . h($filename) . '</a>'; | ||
} else { | ||
echo '<a href="' . $baseurl . '/attributes/download/' . h($object['id']) . '" class="' . $linkClass . '">' . h($filenameHash[0]) . '</a>'; | ||
} | ||
if (isset($filenameHash[1])) echo '<br />' . $filenameHash[1]; | ||
$sigDisplay = str_replace("\r", '', $sigDisplay); | ||
echo h($sigDisplay); | ||
} | ||
} else if (strpos($object['type'], '|') !== false) { | ||
$separator = in_array($object['type'], array('ip-dst|port', 'ip-src|port')) ? ':' : '<br />'; | ||
$value_pieces = explode('|', $object['value']); | ||
foreach ($value_pieces as $k => $v) { | ||
$value_pieces[$k] = h($v); | ||
} | ||
$object['value'] = implode($separator, $value_pieces); | ||
echo ($object['value']); | ||
} else if ('vulnerability' == $object['type']) { | ||
$cveUrl = (is_null(Configure::read('MISP.cveurl'))) ? "http://www.google.com/search?q=" : Configure::read('MISP.cveurl'); | ||
echo $this->Html->link($sigDisplay, $cveUrl . $sigDisplay, array('target' => '_blank', 'class' => $linkClass)); | ||
} else if ('link' == $object['type']) { | ||
echo $this->Html->link($sigDisplay, $sigDisplay, array('class' => $linkClass)); | ||
} else if ('cortex' == $object['type']) { | ||
echo '<div class="cortex-json" data-cortex-json="' . h($object['value']) . '">Cortex object</div>'; | ||
} else if ('text' == $object['type']) { | ||
if (($object['category'] == 'Internal reference' || $object['category'] == 'External analysis') && preg_match('/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/i', $object['value'])) { | ||
echo '<a href="' . $baseurl . '/events/view/' . h($object['value']) . '" class="' . $linkClass . '">' . h($object['value']) . '</a>'; | ||
} else { | ||
$sigDisplay = str_replace("\r", '', h($sigDisplay)); | ||
$sigDisplay = str_replace(" ", ' ', $sigDisplay); | ||
echo $sigDisplay; | ||
if (isset($object['validationIssue'])) { | ||
echo ' <span class="fa fa-exclamation-triangle" title="' . __('Warning, this doesn\'t seem to be a legitimate ') . strtoupper(h($object['type'])) . __(' value') . '"> </span>'; | ||
} | ||
} else if ('hex' == $object['type']) { | ||
$sigDisplay = str_replace("\r", '', $sigDisplay); | ||
echo '<span class="hex-value" title="' . __('Hexadecimal representation') . '">' . h($sigDisplay) . '</span> <span role="button" tabindex="0" aria-label="' . __('Switch to binary representation') . '" class="icon-repeat hex-value-convert useCursorPointer" title="' . __('Switch to binary representation') . '"></span>'; | ||
} else { | ||
$sigDisplay = str_replace("\r", '', $sigDisplay); | ||
echo h($sigDisplay); | ||
} | ||
if (isset($object['validationIssue'])) echo ' <span class="fa fa-exclamation-triangle" title="' . __('Warning, this doesn\'t seem to be a legitimate ') . strtoupper(h($object['type'])) . __(' value') . '"> </span>'; | ||
?> |