Closed
Bug 1054396
Opened 10 years ago
Closed 9 years ago
HTTPOnly flag not set on session cookie
Categories
(developer.mozilla.org :: Security, defect)
developer.mozilla.org
Security
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: curtisk, Unassigned)
References
()
Details
(Keywords: sec-low, wsec-cookie)
Description:
A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.
URL:
https://ffdevtools.uservoice.com/session
Reporter | ||
Updated•10 years ago
|
Summary: Secure flag not set on session cookie → HTTPOnly flag not set on session cookie
Reporter | ||
Comment 1•10 years ago
|
||
HTTP/1.1 200 OK
Server: nginx/1.7.1
Date: Fri, 15 Aug 2014 17:23:28 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-UA-Compatible: chrome=1
P3P: CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV"
X-Rack-Cache: invalidate, pass
ETag: "de3d213cfc64fdf1af9707584acb4ee9"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: _uservoice_uid=791fbdb2a0959d23f65a021845cd6fbd4fb9d0f7; path=/; expires=Fri, 10 Oct 2014 17:23:28 -0000
X-Request-Id: f3c5ea4f-1235-4342-ba80-0c2052ca8828
X-Runtime: 0.054657
Updated•10 years ago
|
Severity: normal → major
Comment 2•10 years ago
|
||
Adding all MDN devs to cc list of these security bugs.
Comment 3•10 years ago
|
||
Robert - UserVoice will have to fix this on their side.
Flags: needinfo?(robert)
Comment 4•10 years ago
|
||
I've contacted UserVoice with this information and waiting to hear back from them.
Flags: needinfo?(robert)
Comment 5•10 years ago
|
||
UserVoice cookies appear to be set with HttpOnly now.
Comment 6•10 years ago
|
||
No, I was incorrect. Still testing.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 7•10 years ago
|
||
Axel, can you please work with uservoice to get this addressed?
Comment 8•9 years ago
|
||
Looks like this is fixed now:
$ curl -v "https://ffdevtools.uservoice.com/session"
* Trying 104.16.92.65...
* Connected to ffdevtools.uservoice.com (104.16.92.65) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* ALPN, server accepted to use http/1.1
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=ssl149278.cloudflaressl.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated
* start date: Jan 04 00:00:00 2016 GMT
* expire date: Dec 31 23:59:59 2016 GMT
* common name: ssl149278.cloudflaressl.com
* issuer: CN=COMODO ECC Domain Validation Secure Server CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
> GET /session HTTP/1.1
> Host: ffdevtools.uservoice.com
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Server: cloudflare-nginx
< Date: Fri, 26 Feb 2016 15:27:59 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 105
< Connection: keep-alive
< Set-Cookie: __cfduid=d9533afe9de184588a5124509e86e9cd51456500479; expires=Sat, 25-Feb-17 15:27:59 GMT; path=/; domain=.uservoice.com; HttpOnly
< Status: 302 Found
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-UA-Compatible: chrome=1
< Location: https://ffdevtools.uservoice.com/signin
< P3P: CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV"
< X-Rack-Cache: miss
< Cache-Control: no-cache
< Set-Cookie: _session_id=c956938309f0fd30422877a906f8f16c; path=/; HttpOnly; Secure
< X-Request-Id: 90953862-8e74-4dca-a822-72b3a47fd7ee
< X-Runtime: 0.021689
< CF-RAY: 27acad5aa8472168-EWR
<
* Connection #0 to host ffdevtools.uservoice.com left intact
<html><body>You are being <a href="https://ffdevtools.uservoice.com/signin">redirected</a>.</body></html>
Given that this isn't assigned to anyone and it doesn't appear to be on anyone's plate, I'm going to mark it as FIXED. If the curl output above looks wrong and/or I didn't use the right steps to reproduce, please re-open.
Status: REOPENED → RESOLVED
Closed: 10 years ago → 9 years ago
Resolution: --- → FIXED
Comment 9•9 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•