Summary: make session cookies httponly
                 Project: Savannah Administration
            Submitted by: peterdd
            Submitted on: Tue 11 Jun 2019 07:33:46 PM CEST
                Category: None
                Priority: 5 - Normal
                Severity: 6 - Security
                  Status: None
             Assigned to: None
        Originator Email: 
        Operating System: None
             Open/Closed: Open
         Discussion Lock: Any



The session_hash and session_uid are not httponly, which means javascript
could read document.cookie

So easy fix might changing 

setcookie($name, $value, $expiration, $path, $domain, $secure);


setcookie($name, $value, $expiration, $path, $domain, $secure, true);

in frontend/php/include/session.php

see https://www.php.net/manual/en/function.setcookie.php

Also the session cookies are .savannah.gnu.org, not savannah.gnu.org, so any
subdomain tool has access to the session (I see it was intentional made, but
is it used yet anywhere?)

While savannah.gnu.org has content-security-policy default 'self' which makes
XSS harder, the subdomains like https://web.cvs.savannah.gnu.org have not, so
a XSS there could read document.cookie 

By setting the httponly option for session related cookies it would be a bit
harder to exploit a XSS bug.


File Attachments:

Date: Tue 11 Jun 2019 07:33:46 PM CEST  Name: savane_cookies.png  Size: 241KiB
  By: peterdd



Reply to this item at:


  Message sent via Savannah

Reply via email to