Cookie without Secure attribute in pyload/pyload

Valid

Reported on

Jan 3rd 2023

Description

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

Proof of Concept

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 107
Vary: Accept-Encoding
Set-Cookie: pyload_session=28d0985f-aea1-490b-9954-866be697d8ad; Expires=Fri, 03 Feb 2023 05:47:17 GMT; HttpOnly; Path=/; SameSite=Lax
Connection: close
Date: Tue, 03 Jan 2023 05:47:17 GMT
Server: Cheroot/8.6.0

Impact

User's cookies can be sent to the server with an unencrypted request over the HTTP protocol. This is not secure.

We are processing your report and will contact the pyload team within 24 hours. 7 days ago

bAu submitted a

patch

7 days ago

We have contacted a member of the pyload team and are waiting to hear back 6 days ago

A pyload/pyload maintainer validated this vulnerability 5 days ago

bAu has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A pyload/pyload maintainer marked this as fixed in 0.5.0b3.dev32 with commit 7b53b8 5 days ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A pyload/pyload maintainer published this vulnerability 5 days ago

to join this conversation