[Commotion-admin] [commotion-openwrt] Missing Secure Flag for sysauth Cookie (#33)

[areynold]

**FINDING ID:** iSEC-COMMO13-5

**TARGETS:** The lack of a Secure flag on the sysauth administrative session cookie.

**DESCRIPTION:** The Secure flag, when set by the web application for modern browsers, indicates the session cookie should never be sent via a plaintext HTTP connection. This can offer defense in depth against network attacks when the application or administrative portions of the Commotion router uses HTTPS.

**EXPLOIT SCENARIO:** An attacker may be able to cause the sysauth cookie to be leaked via a plaintext HTTP request. In one example, an attacker could create a plaintext HTTP link to the Commotion router as a local application icon. If an administrator is authenticated to the site over SSL and visits the application list, the browser will issue the plaintext, non-SSL request and automatically include the admin's current session token. A network attacker may be able to capture this value via network sniffing and perform subsequent actions on the administrator's behalf.

**SHORT TERM SOLUTION:** Use a documented method within LuCI to set the secure flag if it exists or apply the flag when setting the sysauth cookie via luci.http.header.

**LONG TERM SOLUTION:** Ensure the default administrative interface uses HTTPS via TLS and does not accept plaintext connections. Review the Commotion web applications and attack surface for standard web application best practices. Consider implementing a regression test to ensure this issue does not resurface in future releases once fixed.

---
Reply to this email directly or view it on GitHub:
https://github.com/opentechinstitute/commotion-openwrt/issues/33
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-admin/attachments/20130911/cf287225/attachment-0001.html>