Session cookie without 'HttpOnly' Flag in lirantal/daloradius

Valid

Reported on

Dec 20th 2022


Description

All versions of daloRADIUS prior to the master branch transmit the session cookie (i.e. PHPSESSID) without setting the HttpOnly flag.

Proof of Concept

$ curl --head http://<hostname>/login.php
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2022 14:11:38 GMT
Server: Apache
Set-Cookie: PHPSESSID=djogjur0vjgg0hd9jkdc27p2h1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8

Impact

The problem could cause JavaScript (e.g., using document.cookies) to access the PHPSESSID cookie value on the browser side.

Fix

To prevent JavaScript from being able to access the cookie value, the cookie must be transmitted with the HttpOnly flag set.

Occurrences

When defining the function dalo_session_start(), the function session_set_cookie_params should be properly called, before calling the function session_start.

We are processing your report and will contact the lirantal/daloradius team within 24 hours. 20 days ago
Filippo submitted a
20 days ago
Filippo
20 days ago

Maintainer


The [fix](https://github.com/lirantal/daloradius/blob/6878619dc661b3009429777a1aeeb383ddc0166b/library/sessions.php#L68-L69] has already been merged in the master branch on (lirantal/daloradius](https://huntr.dev/repos/lirantal/daloradius)

We have contacted a member of the lirantal/daloradius team and are waiting to hear back 19 days ago
Liran Tal
19 days ago

Maintainer


Thank you Filippo. Appreciate the security bug report and the fix ūü§ó

A lirantal/daloradius maintainer has acknowledged this report 19 days ago
Liran Tal gave praise 19 days ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Liran Tal validated this vulnerability 19 days ago

Valid report and has been fixed in the latest master branch commit on github.com/lirantal/daloradius repository

Filippo has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Liran Tal marked this as fixed in master with commit 687861 19 days ago
Filippo has been awarded the fix bounty
This vulnerability has been assigned a CVE
Liran Tal published this vulnerability 19 days ago
sessions.php#L28-L41 has been validated
Filippo
19 days ago

Maintainer


You are welcome Liran :)

to join this conversation