Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] setting a favourite homepage was not CSRF protected
- a user could be lured into setting a MISP home-page outside of the MISP baseurl
- switched the endpoint to be CSRF protection enabled

- as discovered by Mislav Božičević <mislav.bozicevic@nn.cz>
  • Loading branch information
iglocska committed Jul 13, 2020
1 parent 2a561d5 commit bf4610c
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 10 deletions.
2 changes: 1 addition & 1 deletion app/Controller/AppController.php
Expand Up @@ -46,7 +46,7 @@ class AppController extends Controller

public $helpers = array('Utility', 'OrgImg', 'FontAwesome', 'UserName', 'DataPathCollector');

private $__queryVersion = '106';
private $__queryVersion = '107';
public $pyMispVersion = '2.4.128';
public $phpmin = '7.2';
public $phprec = '7.4';
Expand Down
5 changes: 3 additions & 2 deletions app/View/Elements/global_menu.ctp
Expand Up @@ -413,8 +413,9 @@
'type' => 'root',
'url' => '#',
'html' => sprintf(
'<span class="fas fa-star %s" id="setHomePage" title="Set the current page as your home page in MISP"></span>',
(!empty($homepage['path']) && $homepage['path'] === $this->here) ? 'orange' : ''
'<span class="fas fa-star %s" id="setHomePage" title="Set the current page as your home page in MISP" data-current-page="%s"></span>',
(!empty($homepage['path']) && $homepage['path'] === $this->here) ? 'orange' : '',
$this->here
)
),
array(
Expand Down
1 change: 1 addition & 0 deletions app/View/Layouts/default.ctp
Expand Up @@ -88,6 +88,7 @@
<div id = "ajax_fail_container" class="ajax_container">
<div id="ajax_fail" class="ajax_result ajax_fail"></div>
</div>
<div id = "ajax_hidden_container" class="hidden"></div>
<div class="loading">
<div class="spinner"></div>
<div class="loadingText"><?php echo __('Loading');?></div>
Expand Down
22 changes: 15 additions & 7 deletions app/webroot/js/misp.js
Expand Up @@ -5022,15 +5022,23 @@ function resetDashboardGrid(grid) {

function setHomePage() {
$.ajax({
type: 'POST',
type: 'GET',
url: baseurl + '/userSettings/setHomePage',
data: {
path: window.location.pathname
},
success:function (data, textStatus) {
showMessage('success', 'Homepage set.');
$('#setHomePage').addClass('orange');
},
$('#ajax_hidden_container').html(data);
var currentPage = $('#setHomePage').data('current-page');
$('#UserSettingPath').val(currentPage);
$.ajax({
type: 'POST',
url: baseurl + '/userSettings/setHomePage',
data: $('#UserSettingSetHomePageForm').serialize(),
success:function (data, textStatus) {
showMessage('success', 'Homepage set.');
$('#setHomePage').addClass('orange');
},
});

}
});
}

Expand Down

0 comments on commit bf4610c

Please sign in to comment.