MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: [security] Insufficient ACL checks in the attachment downloader fixed 

- Thanks to Jakub Onderka for reporting it
pull/6075/head
mokaddem 2020-06-29 14:10:23 +02:00
parent 6321e02e34
commit d14ce7de70
No known key found for this signature in database
GPG Key ID: 164C473F627A06FA
1 changed files with 22 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
app/Controller/AttributesController.php
View File

@ -349,21 +349,19 @@ class AttributesController extends AppController
public function download($id = null)
{
$this->Attribute->id = $id;
if (!$this->Attribute->exists()) {
throw new NotFoundException(__('Invalid attribute'));
if (is_numeric($id)) {
$conditions = array('Attribute.id' => $id);
} elseif (Validation::uuid($id)) {
$conditions = array('Attribute.uuid' => $id);
} else {
throw new NotFoundException(__('Invalid attribute id.'));
}
$this->Attribute->read();
if (!$this->_isSiteAdmin() &&
$this->Auth->user('org_id') !=
$this->Attribute->data['Event']['org_id'] &&
(
$this->Attribute->data['Event']['distribution'] == 0 ||
$this->Attribute->data['Attribute']['distribution'] == 0
)) {
throw new UnauthorizedException(__('You do not have the permission to view this event.'));
$conditions['Attribute.type'] = array('attachment', 'malware-sample');
$attributes = $this->Attribute->fetchAttributes($this->Auth->user(), array('conditions' => $conditions, 'flatten' => true));
if (empty($attributes)) {
throw new UnauthorizedException(__('Attribute does not exists or you do not have the permission to download this attribute.'));
}
$this->__downloadAttachment($this->Attribute->data['Attribute']);
$this->__downloadAttachment($attributes[0]['Attribute']);
}
private function __downloadAttachment($attribute)
@ -2016,20 +2014,19 @@ class AttributesController extends AppController
if (!$user) {
throw new UnauthorizedException(__('This authentication key is not authorized to be used for exports. Contact your administrator.'));
}
$this->Attribute->id = $id;
if (!$this->Attribute->exists()) {
throw new NotFoundException(__('Invalid attribute or no authorisation to view it.'));
if (is_numeric($id)) {
$conditions = array('Attribute.id' => $id);
} elseif (Validation::uuid($id)) {
$conditions = array('Attribute.uuid' => $id);
} else {
throw new NotFoundException(__('Invalid attribute id.'));
}
$this->Attribute->read(null, $id);
if (!$user['User']['siteAdmin'] &&
$user['User']['org_id'] != $this->Attribute->data['Event']['org_id'] &&
(
$this->Attribute->data['Event']['distribution'] == 0 ||
$this->Attribute->data['Attribute']['distribution'] == 0
)) {
throw new NotFoundException(__('Invalid attribute or no authorisation to view it.'));
$conditions['Attribute.type'] = array('attachment', 'malware-sample');
$attributes = $this->Attribute->fetchAttributes($user, array('conditions' => $conditions, 'flatten' => true));
if (empty($attributes)) {
throw new UnauthorizedException(__('Attribute does not exists or you do not have the permission to download this attribute.'));
}
$this->__downloadAttachment($this->Attribute->data['Attribute']);
$this->__downloadAttachment($attributes[0]['Attribute']);
}
public function text()