search

nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
26.33k stars 3.97k forks source link

secure cookie fails penetration tests #6767

Closed mzeyrek closed 5 years ago

mzeyrek commented 6 years ago

Steps to reproduce

1.test SSL nextcloud server at https://pentest-tools.com/website-vulnerability-scanning/web-server-scanner?run 2.getting medium security due secure cookie not implemented

  1. nextcloud is running under dedicated domain, not subdomain.

Expected behaviour

Penetration test to pass as SameSiteCookieMiddleware.php seems to handle request

Actual behaviour

sending cookies via http without secure flag in https. More details : https://help.nextcloud.com/t/secure-cookie-implementation/21854/3

Server configuration

Operating system: Debian 9 Stretch Web server: nginx/1.10.3 Database: MariaDB 10.2 PHP version: 7.0 Nextcloud version: (see Nextcloud admin page) 12.0.3

rullzer commented 6 years ago

@LukasReschke

e-alfred commented 6 years ago

Openvas also produces a medium warning with this content for an instance not running in a subdirectory:

Summary

The host is running a server with SSL/TLS and is prone to information disclosure vulnerability.
Vulnerability Detection Result

The cookies:

Set-Cookie: 45342agfd4=replaced; path=/; HttpOnly

are missing the “secure” attribute.

Solution

Solution type: Mitigation Mitigation

Set the ‘secure’ attribute for any cookies that are sent over a SSL/TLS connection.
Affected Software/OS

Server with SSL/TLS.
Vulnerability Insight

The flaw is due to cookie is not using ‘secure’ attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks.

Impact Level: Application
Vulnerability Detection Method

Details: SSL/TLS: Missing secure Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.902661)

Version used: $Revision: 5543 $

References

Other:
https://www.owasp.org/index.php/SecureFlag2
http://www.ietf.org/rfc/rfc2965.txt
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)
LukasReschke commented 6 years ago

The secure flag is applied as soon as you log-in. There's not really a security issue here thus.

jomo commented 5 years ago

Unfortunately this does not seem to be true, @LukasReschke.

image

I've double checked with Firefox' "Storage" inspector and all cookies are marked as "Secure: false".

rullzer commented 5 years ago

@jomo did you by any chance first access the site via plain http? I can't trigger this otherwise.

jomo commented 5 years ago

That comment pointed me in the right direction. TLS termination is done by nginx, I should have thought of that…

I had to add this to the config.php:

'overwriteprotocol' => 'https'

Can confirm it's working now, thanks!

jomo commented 5 years ago

In fact, the cookies are sent as secure even before login.

See observatory.mozilla.org report: screenshot

Guess this issue can be closed?

pgera commented 5 years ago

I just had to do this for my docker nextcloud setup. At least in my case (and I'm assuming for others too), tls is done by the nginx docker container. As a result, this test as well as the __host prefix test on scan.nextcloud.com were failing. I suppose this should be addressed on the docker-nextcloud repo as well.