Session_id without Secure attribute in ikus060/minarca

Valid

Reported on

Sep 13th 2022


Description

User's session id with secure attribute is false. This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol.

Proof of Concept

Open the browser and get access to the minarca website, for this scenario I have used the demo/test website. Check the cookie in browser's dev tool and realize that the cookie with Secure attribute is false.

Impact

This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol.

References

We are processing your report and will contact the ikus060/minarca team within 24 hours. 10 days ago
Patrik Dufresne validated this vulnerability 10 days ago

This vulnerability is valid. Was reported on Rdiffweb project.

Minarca will get fixed, whenever I upgrade Rdiffweb version embedded in Minarca.

Vanilla has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne
10 days ago

Maintainer


Affected version should be 4.2.0

Vanilla
10 days ago

Researcher


Thank you. Yes, If I could edit the affected version It is 4.2.0 for the Minarca.

We have sent a fix follow up to the ikus060/minarca team. We will try again in 7 days. 7 days ago
Vanilla
3 days ago

Researcher


Hi @admin, can you help me with the CVE ID for this report?

Jamie Slome
3 days ago

Admin


Sorted the affected version :)

@Patrik - would you like me to assign a CVE for this report?

Patrik Dufresne
3 days ago

Maintainer


@admin You may create a CVE for this report. Thanks

Jamie Slome
3 days ago

Admin


Sorted :)

Vanilla
2 days ago

Researcher


Thank you.!! @patrik @jamie

Patrik Dufresne confirmed that a fix has been merged on 7b5c7e 2 days ago
Patrik Dufresne has been awarded the fix bounty
to join this conversation