[Vulnerability - Authorization] #2353
Comments
|
Hello @egrullon first of all, thanks for creating an issue. Can you please tell more about:
Thanks |
|
Hi @nadouani, - the type of authentication you use? "local, ldap, ad"? - is the second login call already authenticated? (Session cookie?) - what's the full response of the second API call that returns 200? Thanks, |
|
Maybe this issue is duplicated with #2355 |
|
Hi @nadouani, 1.- 2.- 3.- 4.- 5.- 6.- 7.- 8.- 9.- Then one or two go back in your browser for new user... |
|
Hi Nadouani,
How are you doing today?
Please verify de mitre links
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27988
And
#2353 (comment)
Please can you verify this....
Best regards,
…On Wed, Mar 30, 2022, 11:56 AM Nabil Adouani ***@***.***> wrote:
Hello @egrullon <https://github.com/egrullon> first of all, thanks for
creating an issue.
Can you please tell more about:
- the type of authentication you use? "local, ldap, ad"?
- is the second login call already authenticated? (Session cookie?)
- what's the full response of the second API call that returns 200?
Thanks
—
Reply to this email directly, view it on GitHub
<#2353 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AJVCLLCLM4YYRHTARESVI3LVCR2SRANCNFSM5QHKPGIA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@egrullon can you please drop a link to download thehive iso...... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Request Type
Vulnerability - Authorization
Work Environment
Problem Description
Using a web proxy tool such as BurpSuite, a domain user can capture when trying to log in with their account and simply replace through BurpSuite the name of their domain user with another existing user in thehive and not enter a password (this It is done in the Repeater tab in BurpSuite) and you simply hit send and it sends you a reply with a status of 200 OK, with this we can now switch to that new user.
Steps to Reproduce
Using BurpSuite activate the "intercept is on" and capture the login with the correct credentials.
In burpsuite you get the following:
{
"user":"[email protected]",
"password":"EDSecr3t12677849*rRHYWs"
}
This will send it to the Repeater in BurpSuite and replace the user with another user and not put a password:
{
"user":"[email protected]",
"password":""
}
Then we can see the response from the server with a 200 OK.
Note: the user edwin.grullon must be logged in the application
After a 200 OK in the response, we proceed to right click, Request in browser, In original session.
We copy the URL and copy it into the browser where the user edwin.grullon is logged into the application.
We refresh the page and click on the arrow to go back in the browser.
And it already appears logged in with the user juan.perez who is registered in TheHive.
Possible Solutions
Update to the latest version to ensure that the control mechanisms are properly hardened on the server side.
Reference: https://cwe.mitre.org/data/definitions/285.html
Complementary information
Discovery date: 02/15/2022
Device manufacturer: TheHive-Projects
Device model:
Device version: 4.1.16-1
Affected components: TheHive-Projects 4.1.16-1
CVSS v3: 7.7
CWE: CWE-285
Applicant name: Edwin Grullon Aybar
Organization: Personal
Email: [email protected]
The text was updated successfully, but these errors were encountered: