Reliance on Cookies without Validation and Integrity Checking in getgrav/grav


Reported on

Jul 2nd 2021

✍️ Description

A cookie with an overly broad path can be accessed through other applications on the same domain.

🕵️‍♂️ Proof of Concept

Application deployed at and the application sets a session ID cookie with path "/" when users log in to the forum. then below code is vulnerable at session.php in line 134

setcookie($name, json_encode($object), time() + $time, '/');

💥 Impact

Suppose an attacker creates another application at and posts a link to this site on the forum. When a user of the forum clicks on the link, his browser will send the cookie set by to the application running at /EvilSite. By stealing the session ID, the attacker is able to compromise the account of any forum user that browsed to /EvilSite.

In addition to reading a cookie, it might be possible for attackers to perform a Cookie Poisoning attack by using /EvilSite to create its own overly broad cookie that overwrites the cookie from


We have contacted a member of the getgrav/grav team and are waiting to hear back 2 years ago
Akshay Jain
2 years ago


Hi Team, Any updates?

Matias Griese
a year ago

Looks like this has been fixed long time ago in commit c51fb1779b83f620c0b6f3548d4a96322b55df07

I will approve this anyway as it used to be an issue.

Matias Griese validated this vulnerability a year ago
Akshay Jain has been awarded the disclosure bounty
The fix bounty is now up for grabs
Matias Griese marked this as fixed in 1.7.21 with commit c51fb1 a year ago
Matias Griese has been awarded the fix bounty
This vulnerability will not receive a CVE
Session.php#L154 has been validated
to join this conversation