[Commotion-admin] [commotion-openwrt] Missing HTTPOnly Flag for sysauth Cookie (#32)
areynold
notifications at github.com
Wed Sep 11 16:22:51 UTC 2013
**FINDING ID:** iSEC-COMMO13-4
**TARGETS:** The lack of an HTTPOnly flag on the sysauth administrative session cookie.
**DESCRIPTION:** Cookies set by the administrative application are not protected by the HTTPOnly flag. This flag indicates to modern browsers the session token cannot be accessed via JavaScript. When set by the web application, this provides excellent defense in depth against session hijacking via Cross-Site Scripting (XSS).
**EXPLOIT SCENARIO:** An attacker locates an XSS vulnerability within the application and uses it to perform trivial admin session hijacking. The attacker then performs operations on the administrators behalf such as changing the current password (which does not require the current password) in addition to a number of other sensitive actions.
**SHORT TERM SOLUTION:** Use a documented method within LuCI to set the HTTPOnly flag (if it exists) or apply the flag when setting the sysauth cookie via luci.http.header.
**LONG TERM SOLUTION:** Review the Commotion web applications and attack surface for standard web application best practices (check https://www.owasp.org for resources). Consider implementing a regression test to ensure this issue does not resurface in future releases once fixed.
---
Reply to this email directly or view it on GitHub:
https://github.com/opentechinstitute/commotion-openwrt/issues/32
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-admin/attachments/20130911/2c981015/attachment.html>
More information about the Commotion-admin
mailing list