Summary
An unauthenticated user can trigger Lookyloo's "report a capture" email on demand (this is expected). The /json/<uuid>/report API endpoint (CaptureReport) is incorrectly passing the email and comment parameters, overwriting as_admin. When True, as_admin will trigger a search query on a MISP instance (if configured) and add a list of matching URLs in the email sent to the analyst (not the submitter, so there is no risk of leaking information) . It could potentially cause a DoS on the MISP instance.
Details
See PR#1330. Fixes the positional parameter calling bug by using named arguments, and adds an email regex guard as additional defense.
PoC
curl -X POST 'https://<lookyloo-host>/json/<capture_uuid>/report' \
-H 'Content-Type: application/json' \
-d '{"email": "yes-please-treat-me-as=-admin", "comment": "attacker@evil.example"}'
as_admin is truthy (string evals true)
email is attacker@evil.example
comment is None
Impact
Possible DoS of the analyst MISP instance.
Fix
The issue is fixed by d5b9a40
Summary
An unauthenticated user can trigger Lookyloo's "report a capture" email on demand (this is expected). The
/json/<uuid>/reportAPI endpoint (CaptureReport) is incorrectly passing theemailandcommentparameters, overwritingas_admin. WhenTrue,as_adminwill trigger a search query on a MISP instance (if configured) and add a list of matching URLs in the email sent to the analyst (not the submitter, so there is no risk of leaking information) . It could potentially cause a DoS on the MISP instance.Details
See PR#1330. Fixes the positional parameter calling bug by using named arguments, and adds an email regex guard as additional defense.
PoC
as_adminis truthy (string evals true)email is
attacker@evil.examplecomment is None
Impact
Possible DoS of the analyst MISP instance.
Fix
The issue is fixed by d5b9a40