Bug #10275
closed
CVE-2015-3155 - The _session_id cookie is issued without the Secure flag
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1215622
Description of problem:
Strategic customer has run penetration test as part of preparation for PCI-DSS audit.
One of issues found is next one:
==============================================
SSL Cookie Without Secure Flag Set
Risk: Medium
Abstract
If the secure flag is set on a cookie, then browser will not submit the cookie in any request
that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially
intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the
cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's
scope. An attacker may be able to induce this event by feeding a user suitable link, either
directly or via another web site.
Specific Findings
In Red Hat Satellite 6, the _session_id cookie is set without the Secure flag:
_session_id=; path=/; HttpOnly
Remedy
The secure flag should be set on all cookies that are used for transmitting sensitive data when
accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the
application that are accessed over HTTPS should employ their own session handling
mechanism, and the session tokens used should never be transmitted over unencrypted
communications.
Updated by
Updated by Dominic Cleal almost 9 years ago
- Category set to Security
Please do not copy security related tickets to Redmine, the correct course of action is to report them to the foreman-security mailing list/team, see http://theforeman.org/security.html.
This has been reported there and we're looking into it.
Updated by Dominic Cleal almost 9 years ago
I can reproduce this on recent nightly builds and default installation.
If I access http://foreman.example.com/, the server does NOT set a session cookie, then redirects the request to https://foreman.example.com/. The request to https://foreman.example.com/ sets the _session_id cookie with HttpOnly and no secure flag, then redirects the request to https://foreman.example.com/users/login.
It seems that any subsequent HTTP request, e.g. a user trying to return to the application by visiting http://foreman.example.com/ rather than https:// will result in the session cookie going over the wire under HTTP. The initial access to Foreman doesn't appear to send it over HTTP at any point.
Our older fixes for session fixation problems under CVE-2014-0090 don't really help mitigate this new issue, as the privileged session ID can be leaked over an HTTP request.
In Foreman 1.8, there is an additional "timezone" cookie that is also set without the secure or HttpOnly flags, but only contains a string such as "Europe/London".
In all versions, a _ForemanSelectedhosts cookie can be set by ticking some checkboxes in the UI host list. This contains a JSON array of host IDs that the user has selected. It's set from JavaScript rather than the HTTP request, and does not have the secure flag.
Both extra cookies would have negligible impact from a leak I think, but if the HTTP response could be intercepted and a different value set, it could cause a minor inconvenience for the user.
Updated by Dominic Cleal almost 9 years ago
- Subject changed from The _session_id cookie is issued without the Secure flag to CVE-2015-3155 - The _session_id cookie is issued without the Secure flag
- Private changed from Yes to No
CVE-2015-3155 has been assigned for this issue, which is now unembargoed.
Updated by Dominic Cleal almost 9 years ago
- translation missing: en.field_release set to 50
Updated by The Foreman Bot almost 9 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/2328 added
- Pull request deleted (
)
Updated by Shlomi Zadok almost 9 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 0b03b9bdb0579559c2286b457999245ee9c218bc.
Updated by Dominic Cleal almost 9 years ago
- Related to Bug #10510: "Invalid authenticity token" after login added
Updated by Dominic Cleal over 8 years ago
- Related to Bug #11352: Foreman 1.7.5 CVE-2015-3155 - The _session_id cookie is issued without the Secure flag added