[ZBX-6244] zbx_sessionid cookie is not set as secure under https Created: 2013 Feb 11 Updated: 2020 Jul 16 Resolved: 2013 Oct 24 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Frontend (F) |
| Affects Version/s: | 2.0.4 |
| Fix Version/s: | 2.1.9, 2.2.0 |
| Type: | Defect (Security) | Priority: | Major |
| Reporter: | Robert Starsi | Assignee: | Ivo Kurzemnieks |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | cookie, https, security, sessions, trivial | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
All |
||
| Description |
|
Zabbix frontend is vulnerable to session hijacking as when running under https the zbx_sessionid cookie is not set as "secure". The solution is simple, replace line 70 in /include/func.inc.php with the following: setcookie($name, $value, isset($time) ? $time : 0, '/', $_SERVER['SERVER_NAME'], (bool)$_SERVER["HTTPS"]); |
| Comments |
| Comment by Ivo Kurzemnieks [ 2013 Oct 17 ] |
|
RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-6244 |
| Comment by Pavels Jelisejevs (Inactive) [ 2013 Oct 23 ] |
|
(1) According to $_SERVER['HTTPS'] docs, we also need to check for an "off" value:
http://php.net/manual/en/reserved.variables.server.php iivs RESOLVED in r39541 jelisejev According to the docs we can't check for "on". We need to check for a non-empty, not "off" value. iivs RESOLVED in r39558 jelisejev CLOSED. |
| Comment by Pavels Jelisejevs (Inactive) [ 2013 Oct 23 ] |
|
(2) setcookie() can accept nulls for the $path and $domain parameters. Then the changes in the CUrl class are not required. iivs RESOLVED in r39541 jelisejev It's better to make the cookie secure inside of the jQuery.cookie plugin. Also, you can use location.protocol to check for HTTPS, no need to use Curl(). iivs RESOLVED in r39558 jelisejev CLOSED. |
| Comment by Pavels Jelisejevs (Inactive) [ 2013 Oct 23 ] |
|
(3) If all cookies set by PHP are always secure, then cookies set by JS must be secure as well. iivs RESOLVED in r39541 jelisejev CLOSED. |
| Comment by Pavels Jelisejevs (Inactive) [ 2013 Oct 23 ] |
|
(4) There are two unused cookie-related functions that can be removed: zbx_flush_post_cookies() and zbx_set_post_cookie(). iivs RESOLVED in r39542 jelisejev CLOSED. |
| Comment by Pavels Jelisejevs (Inactive) [ 2013 Oct 24 ] |
|
TESTED. |
| Comment by Ivo Kurzemnieks [ 2013 Oct 25 ] |
|
Fixed in pre-2.1.9 (trunk) r39571 |