Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored Cross-Site Scripting (XSS) Vulnerability #377

Closed
ociredefz opened this issue Jun 29, 2015 · 1 comment
Closed

Stored Cross-Site Scripting (XSS) Vulnerability #377

ociredefz opened this issue Jun 29, 2015 · 1 comment

Comments

@ociredefz
Copy link

Latest version of snorby is vulnerable to cross-site scripting attack.
These are the steps to reproduce the bug:

  1. Start Snorby in production-mode and log in the web UI.
  2. Go to 'Administration' -> 'Classifications' and 'Add classification'.
  3. In the title of classification just add the xss vector: title**<img src=x onerror=alert(document.cookie)>**
  4. Come back to dashboard and click to 'My Queue' and see the alert.

The output from the page snorby/app/views/events/_menu.html.erb is not properly sanitized before its rendering:

<% @classifications.each do |cls| %>
    <% if cls.locked && cls.hotkey %>
        <%= drop_down_item "#{cls.name}#{cls.shortcut}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %>
    <% else %>
        <%= drop_down_item "#{cls.name}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %>
    <% end %>
<% end %>

A simple XSS mitigation on rails could be the usage of the sanitize, for example the code below filters the xss vector by removing the onerror attribute from the image tag:

<% @classifications.each do |cls| %>
    <% if cls.locked && cls.hotkey %>
        <%= drop_down_item "#{sanitize cls.name}#{cls.shortcut}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %>
    <% else %>
        <%= drop_down_item "#{sanitize cls.name}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %>
    <% end %>
<% end %>

This is a demonstartion screenshot:

snorby-xss
snorby-render-xss

@ociredefz ociredefz changed the title Cross-Site Scripting (XSS) Vulnerability Stored Cross-Site Scripting (XSS) Vulnerability Jun 30, 2015
@miketanderson
Copy link
Contributor

Thanks for the detailed report. I confirmed this was a problem and pushed a fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants