Sensitive Cookie Without 'HttpOnly' Flag in pi-hole/adminlte
Reported on
Sep 1st 2021
✍️ Description
Please enter a description of the vulnerability.
The cookie persistentlogin is set without httponly flag
🕵️♂️ Proof of Concept
Enable remember me during Login
POST /admin/index.php?login HTTP/1.1
Host: 192.168.159.138
Content-Length: 30
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.159.138
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.159.138/admin/index.php?login
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=qfv8v7h8r6jrfsark4in9ia2ue
Connection: close
pw=***&persistentlogin=on
HTTP/1.1 302 Found
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=***; path=/; HttpOnly
Set-Cookie: persistentlogin=***; expires=Wed, 08-Sep-2021 18:36:11 GMT; Max-Age=604800
Location: index.php
Content-type: text/html; charset=UTF-8
X-Pi-hole: The Pi-hole Web interface is working!
X-Frame-Options: DENY
Content-Length: 0
Connection: close
Date: Wed, 01 Sep 2021 18:36:11 GMT
Server: lighttpd/1.4.53
💥 Impact
Steal cookies with XSS.
Occurrences
References
@wtwver, the patch you've submitted isn't quite right - the use of named parameters only works in PHP >=8 (https://stackoverflow.com/a/36885)
As we have to support lower versions, it needs to go the way of:
setcookie('persistentlogin', $pwhash, time()+60*60*24*7, null, null, null, true );
There is also an additional place that it needs to be changed in.
Interestingly, on line 13 we already call ini_set('session.cookie_httponly',1) so this is clearly a bridge we've tried to cross before - but I guess calling setcookie with httponly=false overrides that.
That said, I've no interest in the bounty so I'll award it to you once we merge it into master
Hi thanks for the reply and the bounty
It seems that the code on line 13 only apply to the phpsessid cookie
Btw, do u think will there be any cve for this and other xss?
Thanks
I really don't know how this huntr.dev system works - it's all new to me. I think they organise it from here. Usually I would do it through the Security Advisories feature on github, but I don't want to double up the effort :S
@admin maybe you could provide some pointers here? (is that how you summon the admin??)
@promofaux - we can assign a CVE for this, and would be happy to do it on your behalf.
Any validated vulnerability via our platform can be awarded a CVE. Currently, our CVE assignment process is in beta, and so we only allow a select few through the system automatically, but I am more than happy to arrange this for you myself.
Would you both be happy for me to go ahead and issue a CVE?
CVE published here!
It should appear on the National Vulnerability Database shortly.
Great work all.
https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-9hfp-j66v-6q3j