Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in getgrav/grav

Valid

Reported on

Nov 3rd 2021

✍️ Description

The secure flag is not set for session cookies in the application.

💥 Impact

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.

References

TLS cookie without secure flag set

The Secure flag is used to declare that the cookie may only be transmitted using a secure connection (SSL/HTTPS). If this cookie is set, the browser will never send the cookie if the connection is HTTP. This flag prevents cookie theft via man-in-the-middle attacks.

Note that this flag can only be set during an HTTPS connection. If it is set during an HTTP connection, the browser ignores it.

We are processing your report and will contact the getgrav/grav team within 24 hours. 2 years ago
We have contacted a member of the getgrav/grav team and are waiting to hear back 2 years ago
Matias Griese
2 years ago

Maintainer

It's a setting that has been turned off by default as people do not use SSL on their local computers.

https://github.com/getgrav/grav/blob/develop/system/config/system.yaml#L184

takester
2 years ago

Researcher

What if someone implement this application over https and ssl, then secure will get enabled??

Matias Griese
2 years ago

Maintainer

It's a configuration option and it's documented here:

https://learn.getgrav.org/17/security/configuration

takester
2 years ago

Researcher

okay that looks fine, is'nt it provided in application rather than the documentation, means if one owner/developer forgot to read point then he's application will not have the secure flag enable. Right?? you can put the fixes like

if (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on')) { $serverport = "https://"; // Uses a secure connection (HTTPS) if possible ini_set('session.cookie_secure', 1); } else { $serverport = "http://"; }

takester
2 years ago

Researcher

Because all this points needs to be covered in code rather that the documentation. Documentations are important but the its good if this basic flags are put by implementationg sometype of logic similar to above, so if someone forgot to read document still the application will remain safe.

We have sent a follow up to the getgrav/grav team. We will try again in 7 days. 2 years ago
We have sent a second follow up to the getgrav/grav team. We will try again in 10 days. 2 years ago
We have sent a third and final follow up to the getgrav/grav team. This report is now considered stale. 2 years ago
getgrav/grav maintainer validated this vulnerability a year ago
takester has been awarded the disclosure bounty
The fix bounty is now up for grabs
getgrav/grav maintainer
a year ago

Maintainer

Sorry for long delay. The proposal you had actually lessened the security in properly configured sites, so I had to come up with a slightly different approach. The fix will be in the next release.

takester
a year ago

Researcher

No problem

Djamil Legato marked this as fixed in 1.7.26 with commit 90f5ff a year ago
Djamil Legato has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation