Stored Cross-Site Scripting (XSS) Vulnerability #377

Closed
eurialo opened this Issue Jun 29, 2015 · 1 comment

Comments

Projects
None yet
2 participants
@eurialo

eurialo commented Jun 29, 2015

Latest version of snorby is vulnerable to cross-site scripting attack.
These are the steps to reproduce the bug:

  1. Start Snorby in production-mode and log in the web UI.
  2. Go to 'Administration' -> 'Classifications' and 'Add classification'.
  3. In the title of classification just add the xss vector: title**<img src=x onerror=alert(document.cookie)>**
  4. Come back to dashboard and click to 'My Queue' and see the alert.

The output from the page snorby/app/views/events/_menu.html.erb is not properly sanitized before its rendering:

<% @classifications.each do |cls| %>
    <% if cls.locked && cls.hotkey %>
        <%= drop_down_item "#{cls.name}#{cls.shortcut}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %>
    <% else %>
        <%= drop_down_item "#{cls.name}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %>
    <% end %>
<% end %>

A simple XSS mitigation on rails could be the usage of the sanitize, for example the code below filters the xss vector by removing the onerror attribute from the image tag:

<% @classifications.each do |cls| %>
    <% if cls.locked && cls.hotkey %>
        <%= drop_down_item "#{sanitize cls.name}#{cls.shortcut}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %>
    <% else %>
        <%= drop_down_item "#{sanitize cls.name}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %>
    <% end %>
<% end %>

This is a demonstartion screenshot:

snorby-xss
snorby-render-xss

@eurialo eurialo changed the title from Cross-Site Scripting (XSS) Vulnerability to Stored Cross-Site Scripting (XSS) Vulnerability Jun 30, 2015

@miketanderson

This comment has been minimized.

Show comment
Hide comment
@miketanderson

miketanderson Jul 1, 2015

Contributor

Thanks for the detailed report. I confirmed this was a problem and pushed a fix.

Contributor

miketanderson commented Jul 1, 2015

Thanks for the detailed report. I confirmed this was a problem and pushed a fix.

@dougburks dougburks referenced this issue in Security-Onion-Solutions/security-onion Jul 3, 2015

Closed

Snorby 2.6.3 #766

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment