✍️ Description

A cookie with an overly broad path can be accessed through other applications on the same domain.

🕵️‍♂️ Proof of Concept

Application deployed at http://real.example.com/grav and the application sets a session ID cookie with path "/" when users log in to the forum. then below code is vulnerable at session.php in line 134

setcookie($name, json_encode($object), time() + $time, '/');

💥 Impact

Suppose an attacker creates another application at http://evil.example.com/EvilSite and posts a link to this site on the forum. When a user of the forum clicks on the link, his browser will send the cookie set by http://real.example.com/grav to the application running at /EvilSite. By stealing the session ID, the attacker is able to compromise the account of any forum user that browsed to /EvilSite.

In addition to reading a cookie, it might be possible for attackers to perform a Cookie Poisoning attack by using /EvilSite to create its own overly broad cookie that overwrites the cookie from http://real.example.com/grav