Closed mzeyrek closed 5 years ago
@LukasReschke
Openvas also produces a medium warning with this content for an instance not running in a subdirectory:
Summary The host is running a server with SSL/TLS and is prone to information disclosure vulnerability. Vulnerability Detection Result The cookies: Set-Cookie: 45342agfd4=replaced; path=/; HttpOnly are missing the “secure” attribute. Solution Solution type: Mitigation Mitigation Set the ‘secure’ attribute for any cookies that are sent over a SSL/TLS connection. Affected Software/OS Server with SSL/TLS. Vulnerability Insight The flaw is due to cookie is not using ‘secure’ attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks. Impact Level: Application Vulnerability Detection Method Details: SSL/TLS: Missing secure Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.902661) Version used: $Revision: 5543 $ References Other: https://www.owasp.org/index.php/SecureFlag2 http://www.ietf.org/rfc/rfc2965.txt https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)
The secure flag is applied as soon as you log-in. There's not really a security issue here thus.
Unfortunately this does not seem to be true, @LukasReschke.
I've double checked with Firefox' "Storage" inspector and all cookies are marked as "Secure: false".
@jomo did you by any chance first access the site via plain http? I can't trigger this otherwise.
That comment pointed me in the right direction. TLS termination is done by nginx, I should have thought of that…
I had to add this to the config.php
:
'overwriteprotocol' => 'https'
Can confirm it's working now, thanks!
In fact, the cookies are sent as secure even before login.
See observatory.mozilla.org report:
Guess this issue can be closed?
I just had to do this for my docker nextcloud setup. At least in my case (and I'm assuming for others too), tls is done by the nginx docker container. As a result, this test as well as the __host prefix test on scan.nextcloud.com were failing. I suppose this should be addressed on the docker-nextcloud repo as well.
Steps to reproduce
1.test SSL nextcloud server at https://pentest-tools.com/website-vulnerability-scanning/web-server-scanner?run 2.getting medium security due secure cookie not implemented
Expected behaviour
Penetration test to pass as SameSiteCookieMiddleware.php seems to handle request
Actual behaviour
sending cookies via http without secure flag in https. More details : https://help.nextcloud.com/t/secure-cookie-implementation/21854/3
Server configuration
Operating system: Debian 9 Stretch Web server: nginx/1.10.3 Database: MariaDB 10.2 PHP version: 7.0 Nextcloud version: (see Nextcloud admin page) 12.0.3