miketanderson
commented
9 years ago Thanks for the detailed report. I confirmed this was a problem and pushed a fix.
Closed ociredefz closed 9 years ago
miketanderson
commented
9 years ago Thanks for the detailed report. I confirmed this was a problem and pushed a fix.
Latest version of snorby is vulnerable to cross-site scripting attack. These are the steps to reproduce the bug:
1) Start Snorby in production-mode and log in the web UI. 2) Go to 'Administration' -> 'Classifications' and 'Add classification'. 3) In the title of classification just add the xss vector: title<img src=x onerror=alert(document.cookie)> 4) Come back to dashboard and click to 'My Queue' and see the alert.
The output from the page snorby/app/views/events/_menu.html.erb is not properly sanitized before its rendering:
<% @classifications.each do |cls| %> <% if cls.locked && cls.hotkey %> <%= drop_down_item "#{cls.name}#{cls.shortcut}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %> <% else %> <%= drop_down_item "#{cls.name}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %> <% end %> <% end %>A simple XSS mitigation on rails could be the usage of the sanitize, for example the code below filters the xss vector by removing the onerror attribute from the image tag:
<% @classifications.each do |cls| %> <% if cls.locked && cls.hotkey %> <%= drop_down_item "#{sanitize cls.name}#{cls.shortcut}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %> <% else %> <%= drop_down_item "#{sanitize cls.name}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %> <% end %> <% end %>This is a demonstartion screenshot: