URL:
<https://savannah.nongnu.org/support/?109705>
Summary: make session cookies httponly
Project: Savannah Administration
Submitted by: peterdd
Submitted on: Tue 11 Jun 2019 07:33:46 PM CEST
Category: None
Priority: 5 - Normal
Severity: 6 - Security
Status: None
Assigned to: None
Originator Email:
Operating System: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
The session_hash and session_uid are not httponly, which means javascript
could read document.cookie
So easy fix might changing
setcookie($name, $value, $expiration, $path, $domain, $secure);
to
setcookie($name, $value, $expiration, $path, $domain, $secure, true);
in frontend/php/include/session.php
see https://www.php.net/manual/en/function.setcookie.php
Also the session cookies are .savannah.gnu.org, not savannah.gnu.org, so any
subdomain tool has access to the session (I see it was intentional made, but
is it used yet anywhere?)
While savannah.gnu.org has content-security-policy default 'self' which makes
XSS harder, the subdomains like https://web.cvs.savannah.gnu.org have not, so
a XSS there could read document.cookie
By setting the httponly option for session related cookies it would be a bit
harder to exploit a XSS bug.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Tue 11 Jun 2019 07:33:46 PM CEST Name: savane_cookies.png Size: 241KiB
By: peterdd
<http://savannah.nongnu.org/support/download.php?file_id=47075>
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/support/?109705>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
