Sensitive Cookie Without 'HttpOnly' Flag in pi-hole/adminlte

Valid

Reported on

Sep 1st 2021


✍️ Description

Please enter a description of the vulnerability. The cookie persistentlogin is set without httponly flag

🕵️‍♂️ Proof of Concept

Enable remember me during Login

POST /admin/index.php?login HTTP/1.1
Host: 192.168.159.138
Content-Length: 30
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.159.138
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.159.138/admin/index.php?login
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=qfv8v7h8r6jrfsark4in9ia2ue
Connection: close

pw=***&persistentlogin=on
HTTP/1.1 302 Found
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=***; path=/; HttpOnly
Set-Cookie: persistentlogin=***; expires=Wed, 08-Sep-2021 18:36:11 GMT; Max-Age=604800
Location: index.php
Content-type: text/html; charset=UTF-8
X-Pi-hole: The Pi-hole Web interface is working!
X-Frame-Options: DENY
Content-Length: 0
Connection: close
Date: Wed, 01 Sep 2021 18:36:11 GMT
Server: lighttpd/1.4.53

💥 Impact

Steal cookies with XSS.

References

We have contacted a member of the pi-hole/adminlte team and are waiting to hear back 22 days ago
wtwver submitted a
22 days ago
Adam Warner validated this vulnerability 12 days ago
wtwver has been awarded the disclosure bounty
The fix bounty is now up for grabs
Adam Warner
12 days ago

Maintainer


@wtwver, the patch you've submitted isn't quite right - the use of named parameters only works in PHP >=8 (https://stackoverflow.com/a/36885)

As we have to support lower versions, it needs to go the way of:

setcookie('persistentlogin', $pwhash, time()+60*60*24*7, null, null, null, true );

There is also an additional place that it needs to be changed in.

Interestingly, on line 13 we already call ini_set('session.cookie_httponly',1) so this is clearly a bridge we've tried to cross before - but I guess calling setcookie with httponly=false overrides that.

Adam Warner
12 days ago

Maintainer


That said, I've no interest in the bounty so I'll award it to you once we merge it into master

wtwver
12 days ago

Researcher


Hi thanks for the reply and the bounty

It seems that the code on line 13 only apply to the phpsessid cookie

Btw, do u think will there be any cve for this and other xss?

Thanks

Adam Warner
11 days ago

Maintainer


I really don't know how this huntr.dev system works - it's all new to me. I think they organise it from here. Usually I would do it through the Security Advisories feature on github, but I don't want to double up the effort :S

@admin maybe you could provide some pointers here? (is that how you summon the admin??)

Adam Warner confirmed that a fix has been merged on cf8602 11 days ago
wtwver has been awarded the fix bounty
Jamie Slome
10 days ago

Admin


@promofaux - we can assign a CVE for this, and would be happy to do it on your behalf.

Any validated vulnerability via our platform can be awarded a CVE. Currently, our CVE assignment process is in beta, and so we only allow a select few through the system automatically, but I am more than happy to arrange this for you myself.

Would you both be happy for me to go ahead and issue a CVE?

wtwver
10 days ago

Researcher


Sure

Jamie Slome
8 days ago

Admin


CVE published here!

It should appear on the National Vulnerability Database shortly.

Great work all.

Adam Warner
6 days ago

Maintainer


https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-9hfp-j66v-6q3j