Reliance on Cookies without Validation and Integrity Checking in getgrav/grav

Valid

Reported on

Jul 2nd 2021


✍️ Description

A cookie with an overly broad path can be accessed through other applications on the same domain.

🕵️‍♂️ Proof of Concept

Application deployed at http://real.example.com/grav and the application sets a session ID cookie with path "/" when users log in to the forum. then below code is vulnerable at session.php in line 134

setcookie($name, json_encode($object), time() + $time, '/');

💥 Impact

Suppose an attacker creates another application at http://evil.example.com/EvilSite and posts a link to this site on the forum. When a user of the forum clicks on the link, his browser will send the cookie set by http://real.example.com/grav to the application running at /EvilSite. By stealing the session ID, the attacker is able to compromise the account of any forum user that browsed to /EvilSite.

In addition to reading a cookie, it might be possible for attackers to perform a Cookie Poisoning attack by using /EvilSite to create its own overly broad cookie that overwrites the cookie from http://real.example.com/grav

References

We have contacted a member of the getgrav/grav team and are waiting to hear back a year ago
Akshay Jain
10 months ago

Researcher


Hi Team, Any updates?

Matias Griese
4 months ago

Maintainer


Looks like this has been fixed long time ago in commit c51fb1779b83f620c0b6f3548d4a96322b55df07

I will approve this anyway as it used to be an issue.

Matias Griese validated this vulnerability 4 months ago
Akshay Jain has been awarded the disclosure bounty
The fix bounty is now up for grabs
Matias Griese confirmed that a fix has been merged on c51fb1 4 months ago
Matias Griese has been awarded the fix bounty
Session.php#L154 has been validated
to join this conversation