Closed egrullon closed 2 years ago
Hello @egrullon first of all, thanks for creating an issue.
Can you please tell more about:
Thanks
Hi @nadouani,
- the type of authentication you use? "local, ldap, ad"? I did the tests on all authentication methods.
- is the second login call already authenticated? (Session cookie?) Yes Sir.
- what's the full response of the second API call that returns 200? The response 200 OK.
Thanks,
Maybe this issue is duplicated with https://github.com/TheHive-Project/TheHive/issues/2355
Hi @nadouani,
1.-
2.-
3.-
4.-
5.-
6.-
7.-
8.-
9.- Then one or two go back in your browser for new user...
Hi Nadouani,
How are you doing today?
Please verify de mitre links http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27988
And https://github.com/TheHive-Project/TheHive/issues/2353#issuecomment-1105728194
Please can you verify this....
Best regards,
On Wed, Mar 30, 2022, 11:56 AM Nabil Adouani @.***> wrote:
Hello @egrullon https://github.com/egrullon first of all, thanks for creating an issue.
Can you please tell more about:
- the type of authentication you use? "local, ldap, ad"?
- is the second login call already authenticated? (Session cookie?)
- what's the full response of the second API call that returns 200?
Thanks
— Reply to this email directly, view it on GitHub https://github.com/TheHive-Project/TheHive/issues/2353#issuecomment-1083321891, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJVCLLCLM4YYRHTARESVI3LVCR2SRANCNFSM5QHKPGIA . You are receiving this because you were mentioned.Message ID: @.***>
Request Type
Vulnerability - Authorization
Work Environment
Problem Description
Using a web proxy tool such as BurpSuite, a domain user can capture when trying to log in with their account and simply replace through BurpSuite the name of their domain user with another existing user in thehive and not enter a password (this It is done in the Repeater tab in BurpSuite) and you simply hit send and it sends you a reply with a status of 200 OK, with this we can now switch to that new user.
Steps to Reproduce
{ "user":"edwin.grullon@your-domain.com", "password":"EDSecr3t12677849*rRHYWs" }
{ "user":"juan.perez@your-domain.com", "password":"" }
Then we can see the response from the server with a 200 OK.
Note: the user edwin.grullon must be logged in the application
After a 200 OK in the response, we proceed to right click, Request in browser, In original session. We copy the URL and copy it into the browser where the user edwin.grullon is logged into the application. We refresh the page and click on the arrow to go back in the browser. And it already appears logged in with the user juan.perez who is registered in TheHive.
Possible Solutions
Update to the latest version to ensure that the control mechanisms are properly hardened on the server side.
Reference: https://cwe.mitre.org/data/definitions/285.html
Complementary information
Discovery date: 02/15/2022 Device manufacturer: TheHive-Projects
Device model:
Device version: 4.1.16-1
Affected components: TheHive-Projects 4.1.16-1
CVSS v3: 7.7 CWE: CWE-285
Applicant name: Edwin Grullon Aybar
Organization: Personal Email: egrullon@gmail.com