DEFTCODE( 2 )

GPG - 2048R/6D378CAF

CVE-2015-5460 – Snorby – 2.6.2 - Stored Cross-site Scripting

Vendor

https://www.snorby.org/2.6.2

Snorby is a new and modern Snort IDS front-end. The basic fundamental concepts behind snorby are simplicity and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.

Description

During my research and testing of new IDS (Intrusion Detection System) like Suricata I’ve found a Stored Cross-site Scripting (XSS) vulnerability in Snorby that I want to use as web user interface for suricata. The vulnerability exists in the module for adding a new threat classification model where the user input is not correctly sanitized before being saved it on the database or for example the output is not properly filtered, before its rendering in the event/menu code, in this way the vector gets executed.

Vulnerability

CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

The XSS vector is triggered in the snorby/app/views/events/_menu.html.erb page by the event/menu:

<% @classifications.each do |cls| %>
    <% if cls.locked && cls.hotkey %>
        <%= drop_down_item "#{cls.name}<span class='shortcut'>#{cls.shortcut}</span>", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %>
    <% else %>
        <%= drop_down_item "#{cls.name}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %>
    <% end %>
<% end %>

Mitigation

A simple XSS mitigation on rails could be the usage of the sanitize, for example the code below filters the xss vector by removing the onerror attribute from the image tag:

<% @classifications.each do |cls| %
    <% if cls.locked && cls.hotkey %>
        <%= drop_down_item "#{sanitize cls.name}<span class='shortcut'>#{cls.shortcut}</span>", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %>
    <% else %>
        <%= drop_down_item "#{sanitize cls.name}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %>
    <% end %>
<% end %>

Solution

Update to the latest version on GitHub.

Disclosure:

References