Session_id without Secure attribute in ikus060/rdiffweb

Valid

Reported on

Sep 9th 2022


Description

User's session id with secure attribute is false. This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol.

Proof of Concept

Open the browser and access to the website, in this scenario I use the demo website. Check the cookie in browser's dev tool and realize that the cookie with Secure attribute is false.

Impact

This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol.

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 22 days ago
Chuu modified the report
22 days ago
Patrik Dufresne validated this vulnerability 22 days ago
Chuu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chuu
21 days ago

Researcher


thank you.

Patrik Dufresne
20 days ago

Maintainer


@uonghoangminhchau Could you or anyone else create a CVE report ?

Chuu
19 days ago

Researcher


@admin Please help me to create CVE report.

Jamie Slome
19 days ago

Admin


All sorted 👍 Once this report is marked as fixed (i.e. resolved), a CVE will automatically publish for this report with the CVE ID (CVE-2022-3174).

Patrik Dufresne
19 days ago

Maintainer


@chuu the affected version should be >=2.4.1

Jamie Slome
19 days ago

Admin


Sorted the affected version :)

We have sent a fix follow up to the ikus060/rdiffweb team. We will try again in 7 days. 19 days ago
Patrik Dufresne confirmed that a fix has been merged on f2de23 19 days ago
Patrik Dufresne has been awarded the fix bounty
to join this conversation