FS#286 - information disclosure vulnerability: cookie httponly flag ignored
Attached to Project:
Uzbl
Opened by Dylan Simon (dylex) - 2011-10-23 03:57:26 PM
Last edited by Brendan Taylor (bct) - 2012-11-25 10:09:23 PM
Opened by Dylan Simon (dylex) - 2011-10-23 03:57:26 PM
Last edited by Brendan Taylor (bct) - 2012-11-25 10:09:23 PM
|
Detailsuzbl-core ignores the http_only flag on cookies, not including it in cookie events, so it cannot be stored by the event manager. Thus, when cookies are reloaded by the event manager and sent to uzbl-core, the flag is lost. As a result, these cookies are accessible to (3rd party) javascript, allowing XSS session cookie theft. See http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie. My branch (git://github.com/dylex/uzbl.git) has a fix for this (a964be6bd96583f8735fd297856f1c9845850f6a) though only the uzbl-core part has been extensively tested (since I don't use the python event manager).
|
This task depends upon
Closed by Brendan Taylor (bct)
2012-11-25 10:09:23 PM
Reason for closing: Fixed
Additional comments about closing: This was merged December of 2011.
2012-11-25 10:09:23 PM
Reason for closing: Fixed
Additional comments about closing: This was merged December of 2011.
Comment by Brendan Taylor (bct) -
2011-12-14 01:05:35 AM
Thanks a lot, sorry I left this so long. There's a ton of good stuff in your fork, I'm testing it right now and will apply ASAP