PHP-A1003 @ 3c35586 • smalos / nubuilder

Run summary

a year ago

8e4129c..3c35586

2 mins 6 s

Audit required: Sensitive cookie without HttpOnly attribute PHP-A1003

Security

Critical

1 occurrence in this check

a03 cwe-79 cwe-1004 sans top 25 owasp top 10 cwe-325

Cookie set without HttpOnly only flag

core/nuvendorlogin.php

54        $page = "libs/tinyfilemanager/tinyfilemanager.php";
55    }
56
57    setcookie("nu_".$appId, $_SESSION['nubuilder_session_data']['SESSION_ID']);58
59    return $page;
60}

Description

Cookies set without the httponly flag can be read by a client-side script, leading to cookie theft from Cross-Site Scripting (XSS) attacks.

By default, setcookie and setrawcookie function creates cookie with httponly value to false. It is recommended to explicitly set httponly to true to prevent the risk.

In past it has led to vulnerabilities like:

Cross-Site Scripting (XSS) attacks target the theft of cookies set by application. If httponly attribute is set to true, it won't be possible to exploit the XSS vulnerability to steal application cookies.

smalos / nubuilder_dev

References