Description
Hello,
As part of our regular testing, we had our application tested for security. As part of the penetration testing, we received the following finding. It is a cookie created by Ostrio:Files
Description: The application sets the cookie x_mtok which appears to store a session id without a Secure flag. If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope.
Impact: An attacker may be able to steal user cookie by feeding a user suitable links, either directly or via another web site. Even if the domain that issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack. To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer.
Recomm: The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
Additional res: https://cwe.mitre.org/data/definitions/614.html
4.6 (Medium) CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
I think the code should be something like this:
`
if (Meteor.connection._lastSessionId) {
// Set the cookie with the session ID from Meteor.connection._lastSessionId
cookie.set('x_mtok', Meteor.connection._lastSessionId, {
path: '/', // Make the cookie accessible across the entire domain
sameSite: 'Lax', // Prevent the cookie from being sent with cross-site requests (e.g., CSRF protection)
secure: true, // Ensure the cookie is only sent over HTTPS connections
httpOnly: true // Restrict JavaScript access to the cookie (protection against XSS attacks)
});
if (Meteor.isCordova && this.allowQueryStringCookies) {
// Check if the application is running on HTTPS before sending the cookie
if (window.location.protocol === 'https:') {
cookie.send(); // Send the cookie if the connection is secure
} else {
console.warn('Cookie not sent: Insecure connection detected.'); // Log a warning if the connection is not secure
}
}
}
`
I don't have much experience contributing to open source, should I do a pull request ?
Thanks
Marek