- users can now be disabled by an admin
- disabled users cannot login (via the UI or the API) and will be informed
- login attempts by disabled users are logged
- also added the expiration field for later use
- Double sanitisation when edditing an attribute/proposal comment removed
- Fixed an issue where an ip/resource was recognised as a CIDR notation IP range instead of a url
- Changed the flash message for publishing without e-mails to something less scary
- defanged URL type attributes are refanged on input
- admin script to do the same for all existing attributes
- admin tool doesn't recognise a word followed by a . as a url
- event index filtering now accepts POST requests with a json object
- format has to be filter syntax passed for each field. Example:
- {"tags":"OSINT|TLP:WHITE|!PRIVINT", "published":"1"}
- Fixed an issue with no tags being recognised leading to the index returning an unfiltered list
- Required for filtered pulls from 2.4
- Discussions
- Event discussion thread initiated on first post instead of first view
- allows for saving an event even if an attribute fails
- logs attributes that fail validation
- same for edit
- add_misp_export updated with the above in mind
- called Add MISP export now
- can be an XML / JSON file
- result browser with explanations of failures
- REST XML/JSON add/edit of events returns errors instead of the partially succeeding event
What works:
- added submodules for taxonomies
- added import tool for taxonomies
- added models and convenience functions for taxonomies
- site admins can update taxonomy libraries
- list taxonomies / view indvidual ones (with all resolved tags)
- create tags manually if a taxonomy is enabled
- view related tags / events quickly from the Taxonomy view
What doesn't work:
- Users still cannot choose a tag from taxonomy lists (this will be the main functionality)
- Feature cannot be disabled
- Removed the OpenIOC Indicator UUID persistence and moved it to a comment
- this allows for the same OpenIOC report to be imported into separate events and won't result in a UUID collision
- Reworked the composite indicator resolver
- more generic, allows for 3 part composites (to allow for regkeypath/regkey/regvalue combinations)
- Registry values now correctly recognised
- Fixed an issue with the new UUID generation method call in OpenIOC
- Fixed an invalid validation check on the salt key
- Added a note on the server page to make it more obvious that values can be changed by double clicking them
- it didn't use the validation type -> validation method array to call the validation function
- resulted in CC validation not being called as expected
- as discovered and reported by Egidio Romano of Minded Security
- Users with the perm_regex permissions could create a malicious regex that leads to RCE using the PHP /e modifier for preg_replace().
- Regular expressions are now sanitised on edit / creation of the malicious modifier
- also added an admin tool that lets admins clean their current set of regexes of the harmful modifier
- some json actions worked by passing the .json extension in the url
- these pages were correctly returning JSONs but were often internally running through the HTML code-path thanks to an invalid detection
- the new correct detection should provide a major speed boost for certain json requests
- Changing the auth key now creates a log entry that inclues the user's ID, e-mail address old and new autkeys
- Also removed the logging of the hashed password for newly created users
- It seems like relying on the Accept header can lead to the data type detection failing when accessing .json extension views
- this issue seems to have gone unnoticed since until now the data passed to the json view was the same as that passed to the html view
- this means that all the additional UI only features may have triggered in the background previously on .json views
- as discovered and reported by Egidio Romano of Minded Security
- Lacking checks of HTTP methods in some functionality could lead to a site admin uploading and executing malicious scripts
- Tightened HTTP method verification across the board for actions that modify data
- Turned some administrative tasks to POST only actions
- as discovered and reported by Egidio Romano of Minded Security
- The site admin file upload tool allowed for unrestricted file upload that could lead to RCE
- Fixed the file uploader to be much more restrictive
- removed the interactive terms file upload