View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0009524 | mantisbt | security | public | 2008-08-12 20:12 | 2009-01-15 11:25 |
Reporter | hanno | Assigned To | grangeway | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0a2 | ||||
Target Version | 1.2.0a3 | Fixed in Version | 1.2.0a3 | ||
Summary | 0009524: Mantis should use secure sessions on https connections | ||||
Description | Recently an issue with session cookies got some public attention: (in german) The problem is, if a site uses https only, but the user one time calls a http-url, the cookie is transferred unencrypted. Mantis is vulnerable to that issue, the solution is to set the session cookies to be only used secure if the app is running on ssl. I've attached patches for both mantis 1.1 and 1.2. As I'd consider this a security issue, I've assigned CVE-2008-3102 to it. | ||||
Tags | No tags attached. | ||||
Attached Files | mantis-securesession-1.1.diff (378 bytes)
--- mantis-orig/core/session_api.php.orig 2008-08-13 01:58:06.000000000 +0200 +++ mantis-1/core/session_api.php 2008-08-13 01:58:30.000000000 +0200 @@ -49,6 +49,7 @@ */ class MantisPHPSession extends MantisSession { function __construct() { + if ($_SERVER['HTTPS']) session_set_cookie_params( 0, '/', '', true, true ); session_start(); $this->id = session_id(); } mantis-securesession-1.2.diff (360 bytes)
--- mantis-1.2.0a2/core/session_api.php 2008-07-30 14:00:15.000000000 +0200 +++ mantis-1.2.0a2-1/core/session_api.php 2008-08-13 02:05:32.000000000 +0200 @@ -56,6 +56,7 @@ } session_cache_limiter( 'private_no_expire' ); + if ($_SERVER['HTTPS']) session_set_cookie_params( 0, '/', '', true, true ); session_start(); $this->id = session_id(); } | ||||
@@ -56,6 +56,9 @@
Commited to TRUNK for inclusion in next 1.2 alpha release. |
|