/

Session cookie without 'HttpOnly' Flag in lirantal/daloradius

Valid

Reported on

Dec 20th 2022

Description

All versions of daloRADIUS prior to the master branch transmit the session cookie (i.e. PHPSESSID) without setting the HttpOnly flag.

Proof of Concept

$ curl --head http://<hostname>/login.php
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2022 14:11:38 GMT
Server: Apache
Set-Cookie: PHPSESSID=djogjur0vjgg0hd9jkdc27p2h1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8

Impact

The problem could cause JavaScript (e.g., using document.cookies) to access the PHPSESSID cookie value on the browser side.

Fix

To prevent JavaScript from being able to access the cookie value, the cookie must be transmitted with the HttpOnly flag set.

Occurrences

sessions.php L28-L41

When defining the function dalo_session_start(), the function session_set_cookie_params should be properly called, before calling the function session_start.

We are processing your report and will contact the lirantal/daloradius team within 24 hours. 20 days ago

Filippo submitted a

20 days ago

commented 20 days ago

Maintainer

The [fix](https://github.com/lirantal/daloradius/blob/6878619dc661b3009429777a1aeeb383ddc0166b/library/sessions.php#L68-L69] has already been merged in the master branch on (lirantal/daloradius](https://huntr.dev/repos/lirantal/daloradius)

We have contacted a member of the lirantal/daloradius team and are waiting to hear back 19 days ago

commented 19 days ago

Maintainer

Thank you Filippo. Appreciate the security bug report and the fix 🤗

A lirantal/daloradius maintainer has acknowledged this report 19 days ago

Liran Tal gave praise 19 days ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Liran Tal validated this vulnerability 19 days ago

Valid report and has been fixed in the latest master branch commit on github.com/lirantal/daloradius repository

Filippo has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Liran Tal marked this as fixed in master with commit 687861 19 days ago

Filippo has been awarded the fix bounty

This vulnerability has been assigned a CVE

Liran Tal published this vulnerability 19 days ago

sessions.php#L28-L41 has been validated

commented 19 days ago

Maintainer

You are welcome Liran :)

to join this conversation

We are processing your report and will contact the lirantal/daloradius team within 24 hours. 20 days ago

Filippo submitted a

20 days ago

commented 20 days ago

Maintainer

The [fix](https://github.com/lirantal/daloradius/blob/6878619dc661b3009429777a1aeeb383ddc0166b/library/sessions.php#L68-L69] has already been merged in the master branch on (lirantal/daloradius](https://huntr.dev/repos/lirantal/daloradius)

We have contacted a member of the lirantal/daloradius team and are waiting to hear back 19 days ago

commented 19 days ago

Maintainer

Thank you Filippo. Appreciate the security bug report and the fix 🤗

A lirantal/daloradius maintainer has acknowledged this report 19 days ago

Liran Tal gave praise 19 days ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Liran Tal validated this vulnerability 19 days ago

Valid report and has been fixed in the latest master branch commit on github.com/lirantal/daloradius repository

Filippo has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Liran Tal marked this as fixed in master with commit 687861 19 days ago

Filippo has been awarded the fix bounty

This vulnerability has been assigned a CVE

Liran Tal published this vulnerability 19 days ago

sessions.php#L28-L41 has been validated

commented 19 days ago

Maintainer

You are welcome Liran :)

to join this conversation