-------------------------------------------------------- Snorby 2.6.2 - Stored Cross-site Scripting Vulnerability -------------------------------------------------------- Vendor ------ https://www.snorby.org/ Version ------- 2.6.2 Description ----------- During my research and testing of new IDS (Intrusion Detection System) like Suricata, I've found a Stored Cross-site Scripting (XSS) vulnerability in Snorby (that I'd like to use as web user interface for suricata). The vulnerability exists in the module for adding a new threat classification model where the user input is not correctly sanitized before being saved it on the database or for example the output is not properly filtered, before its rendering in the event/menu code, in this way the vector gets executed. Vulnerability ------------- The output from the page snorby/app/views/events/_menu.html.erb is not properly sanitized before its rendering: --_menu.html.erb-- <% @classifications.each do |cls| %> <% if cls.locked && cls.hotkey %> <%= drop_down_item "#{cls.name}#{cls.shortcut}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %> <% else %> <%= drop_down_item "#{cls.name}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %> <% end %> <% end %> --end-- Mitigation ---------- A simple XSS mitigation on rails could be the usage of the sanitize, for example the code below filters the xss vector by removing the onerror attribute from the image tag: --_menu.html.erb-- <% @classifications.each do |cls| %> <% if cls.locked && cls.hotkey %> <%= drop_down_item "#{sanitize cls.name}#{cls.shortcut}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %> <% else %> <%= drop_down_item "#{sanitize cls.name}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %> <% end %> <% end %> --end-- Solution -------- Update to the latest version on Github. Disclosure ---------- 30-06-2015 – Vendor notification (https://github.com/Snorby/snorby/issues/377) 30-06-2015 – CVE id requested 01-07-2015 - Vendor acknowledgement 01-07-2015 - Vendor pushed a fix (commit-id: https://github.com/Snorby/snorby/commit/89d7cbcd3697c8a842f1a61b99e9a78f295798fb) Credits ------- Federico Fazzi - federico.fazzi@gmail.com Web: http://deftcode.ninja -- Federico Fazzi Mobile: +39 345 2327231 http://deftcode.ninja