In this same version 4.1.16-1 you can use the "Set-Cookie: THEHIVE-SESSION" parameter to do Session Cookie Hijacking and switch to that new profile regardless of permissions or roles.
Steps to Reproduce
step 1
Using BurpSuite activate the "intercept is on" and capture the login with the correct credentials.
In burpsuite you get the following:
Then we see the response from the server with a 200 OK.
Note: the user edwin.grullon must be logged in the application
After a 200 OK in the response within BurpSuite, we proceed to copy the parameter "Set-Cookie: THEHIVE-SESSION=eyJh" and paste it in another domain user who is registered and logged in TheHive. Then right click, Request in browser, In original session.
We copy the URL and copy it in the browser where the user maria.acosta is logged in the application.
We refresh the page and click on the arrow to go back in the browser.
And it already appears logged in with the user juan.perez who is registered in TheHive.
Possible Solutions
Update to the latest version to ensure that the control mechanisms are properly hardened on the server side.
Request Type
Vulnerability - Cookie Hijacking
Work Environment
Problem Description
In this same version 4.1.16-1 you can use the "Set-Cookie: THEHIVE-SESSION" parameter to do Session Cookie Hijacking and switch to that new profile regardless of permissions or roles.
Steps to Reproduce
{ "user":"edwin.grullon@your-dominio.com", "password":"EDSecr3t12677849*rRHYWs" }
{ "user":"juan.perez@your-domain.com", "password":"" }
Then we see the response from the server with a 200 OK.
Note: the user edwin.grullon must be logged in the application
After a 200 OK in the response within BurpSuite, we proceed to copy the parameter "Set-Cookie: THEHIVE-SESSION=eyJh" and paste it in another domain user who is registered and logged in TheHive. Then right click, Request in browser, In original session. We copy the URL and copy it in the browser where the user maria.acosta is logged in the application. We refresh the page and click on the arrow to go back in the browser. And it already appears logged in with the user juan.perez who is registered in TheHive.
Possible Solutions
Update to the latest version to ensure that the control mechanisms are properly hardened on the server side.
References: https://cwe.mitre.org/data/definitions/287.html
Complementary information
Discovery date: 02/15/2022 Device manufacturer: TheHive-Projects
Device version: 4.1.16-1, 4.1.18-1
Affected components: TheHive-Projects 4.1.16-1
CVSS v3: 6.7 CWE: CWE-287
Applicant name: Edwin Grullon Aybar Email: egrullon@gmail.com