Sensitive Cookie Without 'HttpOnly' Flag in yeswiki/yeswiki

Valid

Reported on

Oct 5th 2021

Description

The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.
https://github.com/YesWiki/yeswiki/ is vulnerable to Sensitive Cookie Without HttpOnly Flag as shown below:

Proof of concept

Snippet:

    public function logIn($remember = 0)
    {
        $_SESSION['user'] = array(
            'name'              => $this->properties['name'],
            'password'          => $this->properties['password'],
            'email'             => $this->properties['email'],
            'motto'             => $this->properties['motto'],
            'revisioncount'     => $this->properties['revisioncount'],
            'changescount'      => $this->properties['changescount'],
            'doubleclickedit'   => $this->properties['doubleclickedit'],
            'show_comments'     => $this->properties['show_comments'],
        );
        $this->wiki->setPersistentCookie('name', $this->properties['name'], $remember);
        $this->wiki->setPersistentCookie('password', $this->properties['password'], $remember);
        $this->wiki->setPersistentCookie('remember', $remember, $remember);
    }

The login function doesnt set the HTTPOnly flag on valid session, to show that do the following:

Payload

Login to the site
In firefox Press Ctrl+Shift+I (Cmd+Option+I on macOS) to open Developer Tools.
Click the heading of the 'Storage' tab.
On the left side of the panel, make sure to select the desired site under 'Cookies.'
Observe the HTTP Only property is set to false.
CookieName:'COOKIEVAL',Domain:'localhost',Path:'PATH',HttpOnly:false

Impact

If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.

Occurrences

YesWiki.php L1721-L1724

We have contacted a member of the yeswiki team and are waiting to hear back a year ago

Jérémy Dufraisse Jérémy

commented a year ago

Maintainer

Indeed, there is only one cookie with httponly = false but it is not defined by logIn function. I pushed a commit to fix the httponly for the last concerned cookie.

Jérémy Dufraisse validated this vulnerability a year ago

hitisec has been awarded the disclosure bounty

The fix bounty is now up for grabs

Jérémy Dufraisse marked this as fixed with commit df42b0 a year ago

Jérémy Dufraisse has been awarded the fix bounty

This vulnerability will not receive a CVE

YesWiki.php#L1721-L1724 has been validated

to join this conversation