Closed
Bug 1054398
Opened 10 years ago
Closed 8 years ago
Cookie missing Secure flag
Categories
(developer.mozilla.org :: Security, defect)
developer.mozilla.org
Security
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: curtisk, Unassigned)
References
()
Details
(Keywords: sec-low, wsec-cookie)
Description: A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections. URL: https://ffdevtools.uservoice.com/session
Reporter | ||
Comment 1•10 years ago
|
||
HTTP/1.1 200 OK Server: nginx/1.7.1 Date: Fri, 15 Aug 2014 17:23:28 GMT Content-Type: application/json; charset=utf-8 Connection: keep-alive Status: 200 OK X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-UA-Compatible: chrome=1 P3P: CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV" X-Rack-Cache: invalidate, pass ETag: "de3d213cfc64fdf1af9707584acb4ee9" Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _uservoice_uid=791fbdb2a0959d23f65a021845cd6fbd4fb9d0f7; path=/; expires=Fri, 10 Oct 2014 17:23:28 -0000 X-Request-Id: f3c5ea4f-1235-4342-ba80-0c2052ca8828 X-Runtime: 0.054657
Updated•10 years ago
|
Severity: normal → major
Comment 2•10 years ago
|
||
Adding all MDN devs to cc list of these security bugs.
Comment 4•10 years ago
|
||
I've contacted UserVoice with this information and waiting to hear back from them.
Flags: needinfo?(robert)
Comment 5•10 years ago
|
||
The reply I got from UserVoice was: "This cookie in question isn't a session cookie, so session hijacking won't be possible." Is that sufficient, or incorrect based on our security concerns?
Flags: needinfo?(curtisk)
Reporter | ||
Comment 6•10 years ago
|
||
This looks like a session cookie to me HTTP/1.1 200 OK Server: cloudflare-nginx Date: Fri, 17 Oct 2014 13:51:30 GMT Content-Type: application/json; charset=utf-8 Connection: keep-alive Status: 200 OK X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-UA-Compatible: chrome=1 P3P: CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV" X-Rack-Cache: invalidate, pass ETag: "08a8967e751599873a1217e806f490a8" Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _uservoice_uid=791fbdb2a0959d23f65a021845cd6fbd4fb9d0f7; path=/; expires=Fri, 12 Dec 2014 14:51:30 -0000 X-Request-Id: 21c6d7dd-b0bf-43f0-b4a1-b63425bd33fd X-Runtime: 0.069203 CF-RAY: 17acf8a9b5500938-DFW {"status":"OK","user":{"id":55222170,"name":"Curtis Koenig","email":"curtisk@mozilla.com","title":null,"anonymous":false,"remembered":false,"url":"https://ffdevtools.uservoice.com/users/55222170-curtis-koenig","uservoice_url":"https://ffdevtools.uservoice.com/users/55222170-curtis-koenig","sso_url":null,"karma_score":0,"avatar_url":"https://secure.gravatar.com/avatar/309fb1423f538a1443ceb8c01e33f651?size=70\u0026default=https://assets0.uvcdn.com/pkg/admin/icons/user_70-c68d06098b40646a91b7656094632c19.png","roles":{"admin":false},"created_at":"2014-08-15T17:23:28Z","updated_at":"2014-10-17T13:51:30Z","visible_forums":[{"id":246087,"name":"Firefox Developer Tools ideas","is_private":false,"idea_count":229,"url":"/forums/246087-firefox-developer-tools-ideas","max_votes":10,"forum_activity":{"votes_available":10,"supported_suggestions":[]}}]},"redirect_to":"/forums/246087-firefox-developer-tools-ideas"} I am also able to logout of the system and then resend this request, with the cookie and the system logs me in (replay). So I think I have some valid concerns over cookie reuse and protection.
Flags: needinfo?(curtisk)
Reporter | ||
Comment 7•10 years ago
|
||
I think I may have also copied the wrong cookie so here is the sign-in request that is also missing the flag https://ffdevtools.uservoice.com/site/signin HTTP/1.1 302 Found Server: cloudflare-nginx Date: Fri, 17 Oct 2014 13:47:00 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Set-Cookie: __cfduid=d442922f77d740fb0ac426b9edc9b79d21413553620223; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.uservoice.com; HttpOnly Status: 302 Found X-Frame-Options: ALLOWALL X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-UA-Compatible: chrome=1 X-Doge: wow Location: https://ffdevtools.uservoice.com/forums/246087-firefox-developer-tools-ideas P3P: CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV" Cache-Control: private X-Rack-Cache: miss Set-Cookie: _session_id=c4c21bd9ec0eb2b6f0ed53869cbc500b; path=/; HttpOnly X-Request-Id: 18bd84d1-1503-4226-8ba4-1b2b3d778e6e X-Runtime: 0.024699 CF-RAY: 17acf20e65640944-DFW Key Element: Set-Cookie: _session_id=c4c21bd9ec0eb2b6f0ed53869cbc500b; path=/; HttpOnly this has HttpOnly set but is missing the secure flag
Comment 8•10 years ago
|
||
Curtis: fair point. I've reached out to them about this.
Reporter | ||
Comment 9•10 years ago
|
||
You should also feel free to add them to this bug if that helps.
Comment 10•10 years ago
|
||
Yeah, I'll look into it. Too many middle-men at the moment. :-)
Comment 11•10 years ago
|
||
Curties, I can't add the UserVoice representative, joey.pilot@uservoice.com, to this bug. Can you please help me with that?
Flags: needinfo?(curtisk)
Reporter | ||
Comment 12•10 years ago
|
||
(In reply to Robert Nyman from comment #11) > Curties, I can't add the UserVoice representative, > joey.pilot@uservoice.com, to this bug. Can you please help me with that? I looked in the admin screens and it does not appear that is a valid bugzilla account, in fact I can't find any for the @uservoice.com. They will have to sign up for a free bugzilla account with the given email before we can add them to the bug.
Flags: needinfo?(curtisk)
Comment 13•10 years ago
|
||
Thanks, I'll check back with him again.
Comment 14•10 years ago
|
||
Ok, Joey added to this bug now! Please continue the conversation.
Flags: needinfo?(joey.pilot)
Comment 15•10 years ago
|
||
One of our developers said this should not be a security issue because you are forcing SSL. Can we get some details about why it's still an issue when SSL is forced?
Flags: needinfo?(joey.pilot)
Reporter | ||
Comment 16•10 years ago
|
||
please define what you mean by forcing SSL?
Flags: needinfo?(joey.pilot)
Comment 17•10 years ago
|
||
when you go to ffdevtools.uservoice.com, you arrive at a secure HTTPS URL:https://ffdevtools.uservoice.com/forums/246087-firefox-developer-tools-ideas per this setting in UserVoice:http://prntscr.com/4ycgvw
Flags: needinfo?(joey.pilot)
Comment 18•9 years ago
|
||
This doesn't actually prevent interception of the traffic since the server still listens on HTTP. Once the server accepts the connection via an HTTP connection, the client will transmit an HTTP request that contains the cookies, then receive a 302 response. The client then connects via HTTPS, retransmitting the same data over an HTTPS request. I wasn't able to leverage this to access any personal data, but I am not sure if the same would hold true for actual authenticated accounts.
Updated•9 years ago
|
Keywords: sec-low,
wsec-cookie
Comment 19•9 years ago
|
||
Axel, can you please work with uservoice to get this addressed.
Comment 20•8 years ago
|
||
According to comment #7, this bug is about a lack of Secure flag on the session id cookie. I curl'd the url in question and got this: $ curl -v "https://ffdevtools.uservoice.com/site/signin" * Trying 104.16.93.65... * Connected to ffdevtools.uservoice.com (104.16.93.65) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * ALPN, server accepted to use http/1.1 * SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=ssl149278.cloudflaressl.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated * start date: Jan 04 00:00:00 2016 GMT * expire date: Dec 31 23:59:59 2016 GMT * common name: ssl149278.cloudflaressl.com * issuer: CN=COMODO ECC Domain Validation Secure Server CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB > GET /site/signin HTTP/1.1 > Host: ffdevtools.uservoice.com > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 200 OK < Server: cloudflare-nginx < Date: Fri, 26 Feb 2016 16:03:40 GMT < Content-Type: text/html; charset=utf-8 < Transfer-Encoding: chunked < Connection: keep-alive < Set-Cookie: __cfduid=de495a7a3a70405041c5e57093d0daf081456502620; expires=Sat, 25-Feb-17 16:03:40 GMT; path=/; domain=.uservoice.com; HttpOnly < Vary: Accept-Encoding < Vary: Accept-Encoding < Status: 200 OK < X-Frame-Options: ALLOWALL < X-XSS-Protection: 1; mode=block < X-Content-Type-Options: nosniff < X-UA-Compatible: chrome=1 < X-Doge: wow < P3P: CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV" < X-Rack-Cache: miss < ETag: W/"b8accaa4a3d35acf99cc0d03cc6c359a" < Cache-Control: max-age=0, private, must-revalidate < Set-Cookie: _rf=0; path=/ < Set-Cookie: _session_id=3f4597c18ed53286e8e682bb9b177078; path=/; HttpOnly; Secure < X-Request-Id: f65a677d-4893-431c-8a11-c7652d6e4a5c < X-Runtime: 0.065046 < CF-RAY: 27ace1a0a7b721b6-EWR That has the Secure flag on the Set-Cookie with the session id. Pretty sure that means this bug is fixed. April: Does that sound right to you? If so, then I think we can close this out.
Flags: needinfo?(april)
Comment 21•8 years ago
|
||
Yep, that looks good to me. The site should probably also set Strict-Transport-Security (HSTS) as well.
Flags: needinfo?(april)
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Group: websites-security
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•