Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in getgrav/grav

Valid

Reported on

Nov 3rd 2021


✍️ Description

The secure flag is not set for session cookies in the application.

💥 Impact

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.

References

TLS cookie without secure flag set

The Secure flag is used to declare that the cookie may only be transmitted using a secure connection (SSL/HTTPS). If this cookie is set, the browser will never send the cookie if the connection is HTTP. This flag prevents cookie theft via man-in-the-middle attacks.

Note that this flag can only be set during an HTTPS connection. If it is set during an HTTP connection, the browser ignores it.

We are processing your report and will contact the getgrav/grav team within 24 hours. 7 months ago
We have contacted a member of the getgrav/grav team and are waiting to hear back 7 months ago
Matias Griese
7 months ago

Maintainer


It's a setting that has been turned off by default as people do not use SSL on their local computers.

https://github.com/getgrav/grav/blob/develop/system/config/system.yaml#L184

takester
7 months ago

Researcher


What if someone implement this application over https and ssl, then secure will get enabled??

Matias Griese
7 months ago

Maintainer


It's a configuration option and it's documented here:

https://learn.getgrav.org/17/security/configuration

takester
7 months ago

Researcher


okay that looks fine, is'nt it provided in application rather than the documentation, means if one owner/developer forgot to read point then he's application will not have the secure flag enable. Right?? you can put the fixes like

if (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on')) { $serverport = "https://"; // Uses a secure connection (HTTPS) if possible ini_set('session.cookie_secure', 1); } else { $serverport = "http://"; }

takester
7 months ago

Researcher


Because all this points needs to be covered in code rather that the documentation. Documentations are important but the its good if this basic flags are put by implementationg sometype of logic similar to above, so if someone forgot to read document still the application will remain safe.

We have sent a follow up to the getgrav/grav team. We will try again in 7 days. 7 months ago
We have sent a second follow up to the getgrav/grav team. We will try again in 10 days. 6 months ago
We have sent a third and final follow up to the getgrav/grav team. This report is now considered stale. 6 months ago
getgrav/grav maintainer validated this vulnerability 6 months ago
takester has been awarded the disclosure bounty
The fix bounty is now up for grabs
getgrav/grav maintainer
6 months ago

Maintainer


Sorry for long delay. The proposal you had actually lessened the security in properly configured sites, so I had to come up with a slightly different approach. The fix will be in the next release.

takester
6 months ago

Researcher


No problem

Djamil Legato confirmed that a fix has been merged on 90f5ff 4 months ago
Djamil Legato has been awarded the fix bounty
to join this conversation