Compliance Impact

This vulnerability allows an authenticated site administrator to inject and execute arbitrary PHP code on the server by manipulating log file paths and contents. Such unauthorized remote code execution can lead to data breaches, unauthorized access, and potential manipulation or exposure of sensitive information.

Because standards like GDPR and HIPAA require strict controls to protect personal and sensitive data, this vulnerability could compromise compliance by enabling attackers to access or alter protected data, disrupt system integrity, or exfiltrate information.

The vulnerability's exploitation risks violating confidentiality, integrity, and availability requirements mandated by these regulations, potentially resulting in legal and financial consequences for affected organizations.

Useful 0 Not Useful 0

Executive Summary

This vulnerability in MISP allows a site administrator to set an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can contain attacker-controlled content, an authenticated attacker with site administrator privileges could exploit this by directing log output to a PHP file in a web-accessible directory and injecting PHP code through the logged data.

If the attacker then accesses this PHP file, it could lead to remote code execution with the privileges of the web server process.

The vulnerability was fixed by restricting log destinations to existing directories under APP/tmp/logs or /var/log, requiring absolute paths, rejecting stream wrappers and traversal-related input, and limiting filenames to .log or .ndjson extensions while disallowing executable extensions.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability can allow an attacker with site administrator access to execute arbitrary code on the server running MISP.

This remote code execution could lead to full compromise of the web server process, potentially allowing the attacker to control the server, access sensitive data, or disrupt services.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if the MISP instance allows site administrators to configure arbitrary filesystem paths for the NDJSON error log used by JsonLogTool. Since the vulnerability permits writing PHP code into web-accessible directories via log files, one detection method is to inspect the log file paths and filenames configured in the system.

Specifically, you can verify if any log files with suspicious extensions (e.g., .php) exist in web-accessible directories, which could indicate exploitation attempts.

Commands to assist detection might include:

• Find log files with potentially dangerous extensions in web directories: find /var/www/html -type f \( -name "*.php" -o -name "*.php5" -o -name "*.phtml" \)
• Check configured log paths in MISP configuration files or database for paths outside allowed directories (APP/tmp/logs or /var/log). This requires access to MISP configuration or database queries.
• Monitor web server logs for requests to suspicious log files that may contain injected PHP code.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting the NDJSON error log path configuration to only allow absolute paths within approved directories such as APP/tmp/logs or /var/log.

Ensure that log filenames only have .log or .ndjson extensions and do not contain any executable extensions like .php, .py, or .sh.

Apply the patch or update that introduces the `testLogPath` function which enforces strict validation of log paths and filenames, preventing path traversal, stream wrappers, and disallowed extensions.

Limit the ability to configure log paths to CLI-only operations if possible, to reduce risk from web-based configuration.

Additionally, review and restrict site administrator privileges to trusted users only, as exploitation requires authenticated site admin access.

Useful 0 Not Useful 0