MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity
2,793 Commits
41 Branches
370 Tags
181 MiB
Commit Graph

2793 Commits (c94d67275fa793df7a1bbba5e71a864a2214c756)

Author SHA1 Message Date
iglocska c94d67275f Fix to an issue with the proposal uploader 
- also a small fix to the baseurl auto detection
 2015-11-26 16:38:39 +01:00
iglocska 9cc80d7c0c Merge branch 'master' into develop 2015-11-22 17:41:54 +01:00
iglocska cb0ac8b0c3 Merge branch 'master' of https://github.com/MISP/MISP 2015-11-22 17:41:38 +01:00
iglocska 751f57830e Merge branch 'hotfix-2.3.164' 2015-11-22 17:41:00 +01:00
iglocska ca51b55d6b Changes to the OpenIOC Import, fixes #725 
- Removed the OpenIOC Indicator UUID persistence and moved it to a comment
  - this allows for the same OpenIOC report to be imported into separate events and won't result in a UUID collision

- Reworked the composite indicator resolver
  - more generic, allows for 3 part composites (to allow for regkeypath/regkey/regvalue combinations)

- Registry values now correctly recognised
 2015-11-22 17:38:11 +01:00
Alexandre Dulaunoy 1cd7f6bd04 Initial JSON schema - MISP event (version 2.3) 2015-11-20 10:28:11 +01:00
iglocska 352c7d31c7 Merge branch 'hotfix-2.3.163' into develop 2015-11-19 17:13:41 +01:00
iglocska 7f8ee7ddba Merge branch 'hotfix-2.3.163' 2015-11-19 16:52:41 +01:00
iglocska 2daaee5333 Version bump 2015-11-19 16:52:25 +01:00
iglocska 56adab6122 Bugfix pack, fixes #724, fixes #721 
- Fixed an issue with the new UUID generation method call in OpenIOC
- Fixed an invalid validation check on the salt key

- Added a note on the server page to make it more obvious that values can be changed by double clicking them
 2015-11-19 16:50:14 +01:00
iglocska f8fbcc1c60 Merge branch 'master' into develop 2015-11-17 12:07:54 +01:00
iglocska b02480c5eb Merge branch 'hotfix-2.3.162' 
Conflicts:
	app/View/Elements/side_menu.ctp
 2015-11-17 12:07:05 +01:00
iglocska bda6923018 Security fix fixing an XSS issue with the templates 
- as discovered and reported by Rafael Pablos García of INCIBE

- fixed a reflected XSS for template creator users when viewing a template
 2015-11-17 11:58:56 +01:00
iglocska 41b3ef3d9f Merge branch 'hotfix-2.3.161' into develop 2015-11-17 10:22:57 +01:00
iglocska ce49216514 Merge branch 'hotfix-2.3.161' 2015-11-17 10:22:40 +01:00
iglocska e96c05b987 Fix to a recent patch breaking the publish button 2015-11-17 10:21:44 +01:00
iglocska 7ee1a9bab2 Merge branch 'hotfix-2.3.160' into develop 2015-11-17 01:18:18 +01:00
iglocska 8a5f725547 Merge branch 'hotfix-2.3.160' 2015-11-17 01:17:55 +01:00
iglocska 332d5fa666 Reverted the sanitisation of the baseurl variable on the view level 
- sanitising it in appcontroller instead
 2015-11-17 01:17:10 +01:00
iglocska 54d469f854 Merge branch 'hotfix-2.3.160' into develop 2015-11-17 00:38:45 +01:00
iglocska 63915ab714 Merge branch 'hotfix-2.3.160' 2015-11-17 00:38:05 +01:00
iglocska 6cb7cc7748 Fixed some deprecated validations left over from the purge a few weeks ago 2015-11-17 00:35:32 +01:00
iglocska b3a2428345 Merge branch 'basedir' into hotfix-2.3.160 
Conflicts:
	app/Controller/AppController.php
	app/View/Pages/administration.ctp
 2015-11-17 00:33:34 +01:00
iglocska 053c27ae9a Removed a crappy solution to an issue with attributes being overwritten that was fixed a long time ago correctly on data entry 2015-11-16 19:51:38 +01:00
iglocska cd3096a38f Fixed a security issue with the regular expressions 
- as discovered and reported by Egidio Romano of Minded Security

- Users with the perm_regex permissions could create a malicious regex that leads to RCE using the PHP /e modifier for preg_replace().
- Regular expressions are now sanitised on edit / creation of the malicious modifier

- also added an admin tool that lets admins clean their current set of regexes of the harmful modifier
 2015-11-16 19:47:31 +01:00
iglocska ac2cd88be7 Merge branch 'hotfix-2.3.159' into develop 2015-11-16 00:28:54 +01:00
iglocska 770e30b842 Merge branch 'hotfix-2.3.159' 2015-11-16 00:27:49 +01:00
iglocska 3045cc2630 Fixed an invalid detection of JSON requests when not passing the accept header 
- some json actions worked by passing the .json extension in the url
- these pages were correctly returning JSONs but were often internally running through the HTML code-path thanks to an invalid detection
- the new correct detection should provide a major speed boost for certain json requests
 2015-11-16 00:25:21 +01:00
iglocska da5fac5873 Added logging of auth key changes, fixes #715 
- Changing the auth key now creates a log entry that inclues the user's ID, e-mail address old and new autkeys
- Also removed the logging of the hashed password for newly created users
 2015-11-16 00:22:58 +01:00
iglocska 406b6de3e0 Merge branch 'hotfix-2.3.158' into develop 2015-11-14 00:23:23 +01:00
iglocska 35cd740b6e Merge branch 'master' of https://github.com/MISP/MISP 2015-11-14 00:05:00 +01:00
iglocska e906328a0e Merge branch 'hotfix-2.3.158' 2015-11-14 00:04:15 +01:00
iglocska 697ff43465 Version bump 2015-11-14 00:03:41 +01:00
iglocska 6bc6f281aa Added an additional role to the default installation 
- by default there was no publisher role
 2015-11-14 00:03:10 +01:00
iglocska afdcc1af0c Fixed a security issue with the CSRF protection being avoidable using some site admin functionality 
- as discovered and reported by Egidio Romano of Minded Security

- Lacking checks of HTTP methods in some functionality could lead to a site admin uploading and executing malicious scripts

- Tightened HTTP method verification across the board for actions that modify data
- Turned some administrative tasks to POST only actions
 2015-11-13 23:57:03 +01:00
iglocska a380458d2e Fixed a security issue with the site admin file uploader 
- as discovered and reported by Egidio Romano of Minded Security

- The site admin file upload tool allowed for unrestricted file upload that could lead to RCE
- Fixed the file uploader to be much more restrictive
- removed the interactive terms file upload
 2015-11-13 23:48:29 +01:00
Alexandre Dulaunoy 0fe4cf63ca PyMISP submodule updated 2015-11-13 11:24:59 +01:00
Alexandre Dulaunoy 4723431ab0 PyMISP submodule updated 2015-11-13 11:12:57 +01:00
Alexandre Dulaunoy c86fa28a90 PyMISP updated 2015-11-13 10:55:40 +01:00
iglocska 82c9680b10 Merge branch 'hotfix-2.3.157' into develop 2015-11-12 09:47:49 +01:00
iglocska b097435879 Merge branch 'hotfix-2.3.157' 2015-11-12 09:47:34 +01:00
iglocska 69031ab35e Fixed an issue where PGP keys that are set to never expire show up as expired 2015-11-12 09:46:33 +01:00
iglocska d568803aa8 Merge branch 'hotfix-2.3.156' into develop 2015-11-11 17:05:44 +01:00
iglocska 3a540542ed Merge branch 'hotfix-2.3.156' 2015-11-11 17:04:49 +01:00
iglocska 675ceb2e0e Better verification of PGP keys 
- checks whether the key can be used to encrypt and whether it's expired
 2015-11-11 17:03:59 +01:00
iglocska 2addc61346 Merge branch 'hotfix-2.3.155' into develop 2015-11-10 15:25:20 +01:00
iglocska 6baa3bea00 Merge branch 'hotfix-2.3.155' 2015-11-10 15:23:29 +01:00
iglocska 6548297b80 Merge branch 'hotfix-2.3.154' into hotfix-2.3.155 
Conflicts:
	VERSION.json
 2015-11-10 15:22:10 +01:00
iglocska 9f85c40145 Fix to a security issue 
- as reported by RichieB2B
- Trying to view an event that doesn't exist and one that the user has no access to resulted in different error messages
 2015-11-10 15:18:33 +01:00
iglocska c46922be12 Fix to a security issue in the PGP fetching tool 
- reported by RichieB2B
- The scraped URL for the PGP fetching tool was not sanitised before being echoed
 2015-11-10 15:17:15 +01:00