Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32331
HistoryJul 14, 2015 - 12:00 a.m.

Snorby 2.6.2 - Stored Cross-site Scripting Vulnerability

2015-07-1400:00:00
vulners.com
49
JSON

Snorby 2.6.2 - Stored Cross-site Scripting Vulnerability

Vendor

https://www.snorby.org/

Version

2.6.2

Description

During my research and testing of new IDS (Intrusion Detection System)
like Suricata, I've
found a Stored Cross-site Scripting (XSS) vulnerability in Snorby (that
I'd like to use as
web user interface for suricata). The vulnerability exists in the module
for adding a new
threat classification model where the user input is not correctly
sanitized before being
saved it on the database or for example the output is not properly
filtered, before its
rendering in the event/menu code, in this way the vector gets executed.

Vulnerability

The output from the page snorby/app/views/events/_menu.html.erb is not
properly sanitized
before its rendering:

–_menu.html.erb–
<% @classifications.each do |cls| %>
<% if cls.locked && cls.hotkey %>
<%= drop_down_item "#{cls.name}#{cls.shortcut}", '#', nil, {
:class => 'classification', :"data-classification-id" => cls.id.to_i } %>
<% else %>
<%= drop_down_item "#{cls.name}", '#', nil, { :class =>
'classification', :"data-classification-id" => cls.id.to_i } %>
<% end %>
<% end %>
–end–

Mitigation

A simple XSS mitigation on rails could be the usage of the sanitize, for
example the code
below filters the xss vector by removing the onerror attribute from the
image tag:

–_menu.html.erb–
<% @classifications.each do |cls| %>
<% if cls.locked && cls.hotkey %>
<%= drop_down_item "#{sanitize cls.name}#{cls.shortcut}", '#',
nil, { :class => 'classification', :"data-classification-id" =>
cls.id.to_i } %>
<% else %>
<%= drop_down_item "#{sanitize cls.name}", '#', nil, { :class =>
'classification', :"data-classification-id" => cls.id.to_i } %>
<% end %>
<% end %>
–end–

Solution

Update to the latest version on Github.

Disclosure

30-06-2015 – Vendor notification
(https://github.com/Snorby/snorby/issues/377&#41;
30-06-2015 – CVE id requested
01-07-2015 - Vendor acknowledgement
01-07-2015 - Vendor pushed a fix (commit-id:
https://github.com/Snorby/snorby/commit/89d7cbcd3697c8a842f1a61b99e9a78f295798fb&#41;

Credits

Federico Fazzi - [email protected]
Web: http://deftcode.ninja

– Federico Fazzi Mobile: +39 345 2327231 <tel:+3934%202327231> http://deftcode.ninja

JSON