We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Sensitive Cookie Without HttpOnly Flag in fossbilling/fossbilling

Valid

Reported on

Jun 16th 2023

Description

1/ Access and login to the demo website: https://demo.fossbilling.org/

2/ Press F12 on your keyboard or right-click on the website to open dev-tool.

3/ At Application tab, choose Cookies and there is BOXCLR (sensitive cookie) without HttpOnly flag.

Proof of Concept

Link image: https://drive.google.com/file/d/1tdtPC_MUZCU4VgK41jrA4YCCYm7vowrt/view?usp=sharing

Impact

If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.

If the cookie is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data and assume the identity of the user.

We are processing your report and will contact the fossbilling team within 24 hours. 3 months ago
Belle Aerni validated this vulnerability 3 months ago

Same thing as stated in the other report, the cookie set set but never read from and we already have an open pull request to remove it entirely.

However, as stated in your "impact" section: "If the cookie is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data and assume the identity of the user."

It IS an authentication cookie, but not one that's ever used. I'll go ahead and mark it as valid nonetheless as extracting the info from the cookie could still have consequences.

Chuu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Belle Aerni marked this as fixed in 0.5.1 with commit b9c35a 3 months ago
Belle Aerni has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Jul 3rd 2023
Belle Aerni published this vulnerability 3 months ago
to join this conversation