Session_id without Secure attribute in ikus060/rdiffweb

Valid

Reported on

Sep 9th 2022

Description

User's session id with secure attribute is false. This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol.

Proof of Concept

Open the browser and access to the website, in this scenario I use the demo website. Check the cookie in browser's dev tool and realize that the cookie with Secure attribute is false.

Impact

This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol.

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago

Chuu modified the report

a year ago

Patrik Dufresne validated this vulnerability a year ago

Chuu has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

commented a year ago

Researcher

thank you.

Patrik Dufresne

commented a year ago

Maintainer

@uonghoangminhchau Could you or anyone else create a CVE report ?

commented a year ago

Researcher

@admin Please help me to create CVE report.

commented a year ago

Admin

All sorted 👍 Once this report is marked as fixed (i.e. resolved), a CVE will automatically publish for this report with the CVE ID (CVE-2022-3174).

Patrik Dufresne

commented a year ago

Maintainer

@chuu the affected version should be >=2.4.1

commented a year ago

Admin

Sorted the affected version :)

We have sent a fix follow up to the ikus060/rdiffweb team. We will try again in 7 days. a year ago

Patrik Dufresne marked this as fixed in 2.4.2 with commit f2de23 a year ago

Patrik Dufresne has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago

Chuu modified the report

a year ago

Patrik Dufresne validated this vulnerability a year ago

Chuu has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

commented a year ago

Researcher

thank you.

Patrik Dufresne

commented a year ago

Maintainer

@uonghoangminhchau Could you or anyone else create a CVE report ?

commented a year ago

Researcher

@admin Please help me to create CVE report.

commented a year ago

Admin

All sorted 👍 Once this report is marked as fixed (i.e. resolved), a CVE will automatically publish for this report with the CVE ID (CVE-2022-3174).

Patrik Dufresne

commented a year ago

Maintainer

@chuu the affected version should be >=2.4.1

commented a year ago

Admin

Sorted the affected version :)

We have sent a fix follow up to the ikus060/rdiffweb team. We will try again in 7 days. a year ago

Patrik Dufresne marked this as fixed in 2.4.2 with commit f2de23 a year ago

Patrik Dufresne has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation