[Bug 9102] New: [SECURITY] We should set httponly on our session cookie
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Bug ID: 9102 Summary: [SECURITY] We should set httponly on our session cookie Classification: Unclassified Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: OPAC Assignee: oleonard@myacpl.org Reporter: chris@bigballofwax.co.nz https://www.owasp.org/index.php/HttpOnly If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party. If a browser does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft of modification by malicious script. There is no reason for the client side to be accessing the session cookie, so for browsers that supports this, this helps protect the user from malicious javascript. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 --- Comment #1 from Chris Cormack <chris@bigballofwax.co.nz> --- To test, use curl Before the patch % curl -I http://192.168.2.135 HTTP/1.1 200 OK Date: Sun, 18 Nov 2012 06:56:49 GMT Server: Apache/2.2.22 (Ubuntu) Pragma: no-cache Cache-control: no-cache Content-script-type: text/javascript Content-style-type: text/css Set-Cookie: CGISESSID=19689f6e7d8ec94c25269fecebf2f009; path=/ Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 After patch % curl -I http://192.168.2.135 HTTP/1.1 200 OK Date: Sun, 18 Nov 2012 07:01:04 GMT Server: Apache/2.2.22 (Ubuntu) Pragma: no-cache Cache-control: no-cache Content-script-type: text/javascript Content-style-type: text/css Set-Cookie: CGISESSID=da25baf03c0bc1e2c512a627028e43e6; path=/; HttpOnly Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |chris@bigballofwax.co.nz -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 --- Comment #2 from Chris Cormack <chris@bigballofwax.co.nz> --- Created attachment 13504 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=13504&action=edit Bug 9102 : Set HttpOnly on the CGISESSID cookie -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Failed QA --- Comment #3 from Owen Leonard <oleonard@myacpl.org> --- The test works as expected, but can we get a resubmission without tab indentation on the affected lines? -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #13504|0 |1 is obsolete| | --- Comment #4 from Chris Cormack <chris@bigballofwax.co.nz> --- Created attachment 13539 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=13539&action=edit Bug 9102 : Set HttpOnly on the CGISESSID cookie -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #13539|0 |1 is obsolete| | --- Comment #5 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 13580 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=13580&action=edit Bug 9102 : Set HttpOnly on the CGISESSID cookie Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off CC| |kyle@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Jonathan Druart <jonathan.druart@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@biblibre.co | |m Patch complexity|--- |Small patch --- Comment #6 from Jonathan Druart <jonathan.druart@biblibre.com> --- Hi Chris, There are 2 other occurrences of this kind in C4::Auth::check_api_auth: l.1141 my $cookie = $query->cookie( CGISESSID => $session->id ); l.1185 my $cookie = $query->cookie(CGISESSID => $sessionID); Don't you think we have to add this flag for them too? -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 --- Comment #7 from Chris Cormack <chris@bigballofwax.co.nz> --- Not sure about that Jonathan, since those ones are only used by the API, not rendered in a page. Possibly users of the API might want to interact with the cookie with javascript? More likely, since they wont be interacting with it with a browser that understands the httponly flag it will be ignored. We could add the flag just in case a user is tricked into going to a page from the api, that has been compromised and has xss in it. Maybe send a follow up, It can't really hurt to have it in it I think. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Jonathan Druart <jonathan.druart@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 --- Comment #8 from Jonathan Druart <jonathan.druart@biblibre.com> --- Created attachment 13838 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=13838&action=edit Bug 9102 : Followup Set HttpOnly on the CGISESSID cookie -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 --- Comment #9 from Owen Leonard <oleonard@myacpl.org> --- (In reply to comment #8)
Bug 9102 : Followup Set HttpOnly on the CGISESSID cookie
Is there a way to test the follow-up like their was for Chris's patch? -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 --- Comment #10 from Jonathan Druart <jonathan.druart@biblibre.com> --- (In reply to comment #9)
(In reply to comment #8)
Bug 9102 : Followup Set HttpOnly on the CGISESSID cookie
Is there a way to test the follow-up like their was for Chris's patch?
I don't know... I think if you don't have any error on some pages the patch works. But if we have a doubt about this patch, we don't have to integrate it. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off --- Comment #11 from Chris Cormack <chris@bigballofwax.co.nz> --- I think we should QA the first patch and push it, the second one should be safe and essentially a no-op but is hard to test. So if we could push the first one and then put this back to needs sign off -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #13580|0 |1 is obsolete| | --- Comment #12 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Created attachment 14384 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=14384&action=edit [SIGNED-OFF] Bug 9102 : Set HttpOnly on the CGISESSID cookie https://www.owasp.org/index.php/HttpOnly Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> To test, use curl Before the patch % curl -I http://192.168.2.135 HTTP/1.1 200 OK Date: Sun, 18 Nov 2012 06:56:49 GMT Server: Apache/2.2.22 (Ubuntu) Pragma: no-cache Cache-control: no-cache Content-script-type: text/javascript Content-style-type: text/css Set-Cookie: CGISESSID=19689f6e7d8ec94c25269fecebf2f009; path=/ Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 After patch % curl -I http://192.168.2.135 HTTP/1.1 200 OK Date: Sun, 18 Nov 2012 07:01:04 GMT Server: Apache/2.2.22 (Ubuntu) Pragma: no-cache Cache-control: no-cache Content-script-type: text/javascript Content-style-type: text/css Set-Cookie: CGISESSID=da25baf03c0bc1e2c512a627028e43e6; path=/; HttpOnly Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Jared Camins-Esakov <jcamins@cpbibliography.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master --- Comment #13 from Jared Camins-Esakov <jcamins@cpbibliography.com> --- The first patch has been pushed to master. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Jared Camins-Esakov <jcamins@cpbibliography.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #14384|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Jared Camins-Esakov <jcamins@cpbibliography.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Master |ASSIGNED -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Jared Camins-Esakov <jcamins@cpbibliography.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gmcharlt@gmail.com --- Comment #14 from Galen Charlton <gmcharlt@gmail.com> --- I've spent quite a bit of time reviewing the second patch. I'm about ready to sign off on it, but I've identified some JavaScript related to tags that expects to read the CGISESSID cookie. Fortunately, it doesn't actually need to in order to work, but I want to remove references to it. The offending bits of JavaScript are contained in three files: koha-tmpl/intranet-tmpl/prog/en/modules/tags/review.tt koha-tmpl/opac-tmpl/prog/en/js/tags.js koha-tmpl/opac-tmpl/ccsr/en/js/tags.js -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |9401 -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 --- Comment #15 from Galen Charlton <gmcharlt@gmail.com> --- Created attachment 14618 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=14618&action=edit Bug 9102 : Followup Set HttpOnly on the CGISESSID cookie Signed-off-by: Galen Charlton <gmc@esilibrary.com> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #13838|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 --- Comment #16 from Galen Charlton <gmcharlt@gmail.com> --- Note for QA/RM - this patch stands alone, but I recommend that the patch be tested and pushed at the same time as the patch for bug 9401. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 M. de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl QA Contact| |m.de.rooy@rijksmuseum.nl -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 M. de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 M. de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #14618|0 |1 is obsolete| | --- Comment #17 from M. de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 14994 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=14994&action=edit Bug 9102 : Followup Set HttpOnly on the CGISESSID cookie Signed-off-by: Galen Charlton <gmc@esilibrary.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 M. de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 M. de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 --- Comment #18 from M. de Rooy <m.de.rooy@rijksmuseum.nl> --- Tested. See the HttpOnly flag in Firebug. Checked cookie processing in IE9 and FF with opac language and session. Also added an item without problems. Code looks good to me. Passed QA Note for RM: Will take a look too at the related report of Galen. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Jared Camins-Esakov <jcamins@cpbibliography.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master --- Comment #19 from Jared Camins-Esakov <jcamins@cpbibliography.com> --- This patch has been pushed to master. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org