Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] SSRF fixed in the rest client
- by using the full path parameter in the rest client, users could issue queries to any server
- this becomes especially problematic when the MISP server is able to query other internal servers,
  as external users could trigger those

- new server setting added that allows enabling the full path option, this is now disabled by default
- new server setting added to add an override baseurl for the rest client, removing the need for the full
  path option in the first place (for example for the training VM with its port forwarding)

- Thanks to Heitor Gouvêa for reporting this vulnerability
  • Loading branch information
iglocska committed Oct 31, 2020
1 parent 3c8b9c0 commit 6e81c8e
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 3 deletions.
7 changes: 4 additions & 3 deletions app/Controller/ServersController.php
Expand Up @@ -2002,17 +2002,17 @@ private function __doRestQuery($request, &$curl = false, &$python = false)
'body' => empty($request['body']) ? '' : $request['body'],
'url' => $request['url'],
'http_method' => $request['method'],
'use_full_path' => $request['use_full_path'],
'use_full_path' => empty($request['use_full_path']) ? false : $request['use_full_path'],
'show_result' => $request['show_result'],
'skip_ssl' => $request['skip_ssl_validation'],
'bookmark' => $request['bookmark'],
'bookmark_name' => $request['name'],
'timestamp' => $date->getTimestamp()
);
if (!empty($request['url'])) {
if (empty($request['use_full_path'])) {
if (empty($request['use_full_path']) || empty(Configure::read('Security.rest_client_enable_arbitrary_urls'))) {
$path = preg_replace('#^(://|[^/?])+#', '', $request['url']);
$url = Configure::read('MISP.baseurl') . $path;
$url = empty(Configure::read('Security.rest_client_baseurl')) ? (Configure::read('MISP.baseurl') . $path) : (Configure::read('Security.rest_client_baseurl') . $path);
unset($request['url']);
} else {
$url = $request['url'];
Expand Down Expand Up @@ -2082,6 +2082,7 @@ private function __doRestQuery($request, &$curl = false, &$python = false)
}
$view_data['duration'] = microtime(true) - $start;
$view_data['duration'] = round($view_data['duration'] * 1000, 2) . 'ms';
$view_data['url'] = $url;
$view_data['code'] = $response->code;
$view_data['headers'] = $response->headers;
if (!empty($request['show_result'])) {
Expand Down
17 changes: 17 additions & 0 deletions app/Model/Server.php
Expand Up @@ -1279,6 +1279,23 @@ public function __construct($id = false, $table = null, $ds = null)
'editable' => false,
'redacted' => true
),
'rest_client_enable_arbitrary_urls' => array(
'level' => 0,
'description' => __('Enable this setting if you wish for users to be able to query any arbitrary URL via the rest client. Keep in mind that queries are executed by the MISP server, so internal IPs in your MISP\'s network may be reachable.'),
'value' => false,
'errorMessage' => '',
'test' => 'testBool',
'type' => 'boolean',
'null' => true
),
'rest_client_baseurl' => array(
'level' => 1,
'description' => __('If left empty, the baseurl of your MISP is used. However, in some instances (such as port-forwarded VM installations) this will not work. You can override the baseurl with a url through which your MISP can reach itself (typically https://127.0.0.1 would work).'),
'value' => false,
'errorMessage' => '',
'test' => null,
'type' => 'string',
),
'syslog' => array(
'level' => 0,
'description' => __('Enable this setting to pass all audit log entries directly to syslog. Keep in mind, this is verbose and will include user, organisation, event data.'),
Expand Down

0 comments on commit 6e81c8e

Please sign in to comment.