Secure token is missed when ivalid URL is entered in ikus060/rdiffweb

Valid

Reported on

Sep 20th 2022


Description

The cookie session_id does not have secure attribute when the URL is invalid

Proof of Concept

1.Login into the application. 2.Send the request https://rdiffweb-demo.ikus-soft.com/browse/admin/MyWindowsLaptop/D/TC3080/test.

Impact

Secure attribute is necessary so the cookie is secure.

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 3 days ago
Patrik Dufresne
3 days ago

Maintainer


@irfansayyed-github Could you re-validate. Version 2.5.0 is not out yet. It's still in Beta.

Since version 2.4.2 (September 12), the secure attribute is added to the cookie when using https.

irfansayyed-github
3 days ago

Researcher


Yeah did.

https://raw.githubusercontent.com/irfansayyed-github/irfansayyed-github/main/sde.png you can verify that the cookie does not have secure attribute.

Patrik Dufresne
3 days ago

Maintainer


I see, that happen on error page.

Patrik Dufresne validated this vulnerability 3 days ago
irfansayyed-github has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
irfansayyed-github
3 days ago

Researcher


@admin could we get CVE?

Jamie Slome
3 days ago

Admin


Sure, once we get the go-ahead from the maintainer, we can assign and publish a CVE for you :)

Patrik Dufresne
3 days ago

Maintainer


@admin You may proceed with creation of a CVE. Thanks

Jamie Slome
3 days ago

Admin


Sorted :)

Patrik Dufresne confirmed that a fix has been merged on ac334d 3 days ago
Patrik Dufresne has been awarded the fix bounty
to join this conversation