Sensitive Cookie Without 'HttpOnly' Flag in yeswiki/yeswiki

Valid

Reported on

Oct 5th 2021


Description

The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.
https://github.com/YesWiki/yeswiki/ is vulnerable to Sensitive Cookie Without HttpOnly Flag as shown below:

Proof of concept

Snippet:

    public function logIn($remember = 0)
    {
        $_SESSION['user'] = array(
            'name'              => $this->properties['name'],
            'password'          => $this->properties['password'],
            'email'             => $this->properties['email'],
            'motto'             => $this->properties['motto'],
            'revisioncount'     => $this->properties['revisioncount'],
            'changescount'      => $this->properties['changescount'],
            'doubleclickedit'   => $this->properties['doubleclickedit'],
            'show_comments'     => $this->properties['show_comments'],
        );
        $this->wiki->setPersistentCookie('name', $this->properties['name'], $remember);
        $this->wiki->setPersistentCookie('password', $this->properties['password'], $remember);
        $this->wiki->setPersistentCookie('remember', $remember, $remember);
    }

The login function doesnt set the HTTPOnly flag on valid session, to show that do the following:

Payload

Login to the site
In firefox Press Ctrl+Shift+I (Cmd+Option+I on macOS) to open Developer Tools.
Click the heading of the 'Storage' tab.
On the left side of the panel, make sure to select the desired site under 'Cookies.'
Observe the HTTP Only property is set to false.
CookieName:'COOKIEVAL',Domain:'localhost',Path:'PATH',HttpOnly:false

Impact

If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.

We have contacted a member of the yeswiki team and are waiting to hear back 2 months ago
Jérémy
2 months ago

Maintainer


Indeed, there is only one cookie with httponly = false but it is not defined by logIn function. I pushed a commit to fix the httponly for the last concerned cookie.

Jérémy Dufraisse validated this vulnerability 2 months ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jérémy Dufraisse confirmed that a fix has been merged on df42b0 2 months ago
Jérémy Dufraisse has been awarded the fix bounty
YesWiki.php#L1721-L1724 has been validated