Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in pimcore/pimcore
Reported on
Jul 19th 2022
Description
The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session
Proof of Concept
PHPSESSID:"ID"
Created:"Tue, 19 Jul 2022 13:15:32 GMT"
Domain:"demo.pimcore.fun"
Expires / Max-Age:"Session"
HostOnly:true
HttpOnly:true
Last Accessed:"Tue, 19 Jul 2022 13:15:36 GMT"
Path:"/"
SameSite:"Strict"
Secure:false
Size:41
Proof of Concept (Link):
https://postimg.cc/ZWJT3N9b
Remediation
If possible, you should set the Secure flag for these cookies.
Impact
When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL/TLS channels. This is an important security protection for session cookies. The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
References
This is actually only for the demo.pimcore.fun as Pimcore uses Symfony's auto-secure feature, which seems to not work properly behind the reverse proxy. See also: https://symfony.com/blog/new-in-symfony-4-2-auto-secure-cookies
Obviously it seems it's not the default value - created a fix for that.
