Reliance on Cookies without Validation and Integrity Checking in getgrav/grav
Valid
Reported on
Sep 10th 2021
✍️ Description
Developers often set cookies to be accessible from the root context path ("/"). Doing so exposes the cookie to all web applications on the domain. Since cookies often carry sensitive information such as session identifiers, sharing cookies across applications can lead a vulnerability in one application to cause a compromise in another.
🕵️♂️ Proof of Concept
public function setFlashCookieObject($name, $object, $time = 60)
{
setcookie($name, json_encode($object), time() + $time, '/');
return $this;
}
{
if (isset($_COOKIE[$name])) {
$object = json_decode($_COOKIE[$name], false);
setcookie($name, '', time() - 3600, '/');
return $object;
}
💥 Impact
A cookie with an overly broad path can be accessed through other applications on the same domain.
We have contacted a member of the
getgrav/grav
team and are waiting to hear back
2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Session.php#L169
has been validated
Session.php#L154
has been validated
to join this conversation
