Session cookie without 'HttpOnly' Flag in lirantal/daloradius
Reported on
Dec 20th 2022
Description
All versions of daloRADIUS prior to the master branch transmit the session cookie (i.e. PHPSESSID
) without setting the HttpOnly
flag.
Proof of Concept
$ curl --head http://<hostname>/login.php
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2022 14:11:38 GMT
Server: Apache
Set-Cookie: PHPSESSID=djogjur0vjgg0hd9jkdc27p2h1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Impact
The problem could cause JavaScript (e.g., using document.cookies
) to access the PHPSESSID
cookie value on the browser side.
Fix
To prevent JavaScript from being able to access the cookie value, the cookie must be transmitted with the HttpOnly
flag set.
Occurrences
sessions.php L28-L41
When defining the function dalo_session_start()
, the function session_set_cookie_params should be properly called, before calling the function session_start.
The [fix](https://github.com/lirantal/daloradius/blob/6878619dc661b3009429777a1aeeb383ddc0166b/library/sessions.php#L68-L69] has already been merged in the master branch on (lirantal/daloradius](https://huntr.dev/repos/lirantal/daloradius)
Thank you Filippo. Appreciate the security bug report and the fix 🤗