search

humhub / humhub

HumHub is an Open Source Enterprise Social Network. Easy to install, intuitive to use and extendable with countless freely available modules.
https://www.humhub.com
Other
6.32k stars 1.66k forks source link

Insecure cookie setting: missing Secure flag. #5332

Closed samuk closed 1 year ago

samuk commented 3 years ago

What steps will reproduce the problem?

Run a pentest against community.humhub.com or other Humhub instance

What is the expected result?

Cookies have the secure flag set

What do you get instead?

A cookie has an insecure flag set.

Additional info

Full pentest report is available here: https://community.humhub.com/file/file/download?guid=655c1e62-f718-404a-8148-34517a465027&hash_sha1=84bd903a

Cookie Name URL Evidence
_csrf https://community.humhub.com/ Set-Cookie:_csrf=b06891fe2488f55f63aba1dad7a7d7b5c91ec481a01dfa6c9b93439fdc5a386fa%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22CZz_dZNZXqE8r5AnyLzIKRxNHZDqFsjb%22%3B%7D; path=/; HttpOnly; SameSite=Lax

Q A
HumHub version same as community.humhub.com
PHP version same as community.humhub.com
Operating system same as community.humhub.com

Note: Also provide the full error stacks from Administration --> Information --> Logging and errors from your browser console if possible. Note: Please use the community site for any questions on customizing HumHub.

samuk commented 2 years ago

Any progress on this ticket?

samuk commented 2 years ago

@luke- Do you anticipate this will be fixed in the next release? I have to report on the security of the platforms we use & would like to be able to report a timely response to this issue.

luke- commented 2 years ago

We will try to add this in the next major release.

But you can already add this option manually via the configuration file. https://forum.yiiframework.com/t/csrf-and-phpsessid-cookies-set-secure-flag-to-true/126930/8

Since we want to continue to support installations without HTTPS, we need reliable detection here.

samuk commented 2 years ago

Great thanks. Will apply the workaround.

Is HTTP really still a thing? I thought Letsencrypt had largely resolved any niche use cases for it.

marc-farre commented 2 years ago

Thanks @luke- FYI, I added, in the web.php file, these settings:

                'httpOnly' => true,
                'secure' => true,

only for the session (and not the request) and it seams to be enough (tested with https://pentest-tools.com/).

marc-farre commented 1 year ago

Great, thanks @luke- !