A restrictive (sub)domain should be defined when setting a session cookie. If a too generic domain is defined, for instance example.com, the cookie is transmitted to other applications on every other subdomain as well. The browser will send the session cookie to all subdomains of the specified domain. This allows an attacker with access to a system that runs under a subdomain to obtain the value of the user’s session cookie.
Some libraries that are included with a FileSender release need to have their versions updated.
This milestone is resolved in the following updates:
Update some versions https://github.com/filesender/filesender/pull/1239 Those updates are available in release 2.32 https://github.com/filesender/filesender/pull/1241 Cookies: override the cookie_domain with settings from config.php https://github.com/filesender/filesender/pull/1248
MoU14 m4:
A restrictive (sub)domain should be defined when setting a session cookie. If a too generic domain is defined, for instance example.com, the cookie is transmitted to other applications on every other subdomain as well. The browser will send the session cookie to all subdomains of the specified domain. This allows an attacker with access to a system that runs under a subdomain to obtain the value of the user’s session cookie.
Some libraries that are included with a FileSender release need to have their versions updated.