0009524: Mantis should use secure sessions on https connections

View Issue Details [ Jump to Notes ] [ Wiki ]

[ Issue History ] [ Print ]

Project

Category

View Status

Date Submitted

Last Update

0009524

mantisbt

security

public

2008-08-12 20:12

2009-01-15 11:25

Reporter

hanno

Assigned To

grangeway

Priority

normal

Severity

minor

Reproducibility

always

Status

closed

Resolution

fixed

Platform

OS Version

Product Version

1.2.0a2

Target Version

1.2.0a3

Fixed in Version

1.2.0a3

Summary

0009524: Mantis should use secure sessions on https connections

Description

Recently an issue with session cookies got some public attention:
http://www.heise.de/security/Ausspioniert-trotz-Verschluesselung--/news/meldung/114141 [^]

(in german)

The problem is, if a site uses https only, but the user one time calls a http-url, the cookie is transferred unencrypted.

Mantis is vulnerable to that issue, the solution is to set the session cookies to be only used secure if the app is running on ssl. I've attached patches for both mantis 1.1 and 1.2.

As I'd consider this a security issue, I've assigned CVE-2008-3102 to it.

Tags

No tags attached.

Attached Files

mantis-securesession-1.1.diff [^] (378 bytes) 2008-08-12 20:12 [Show Content] [Hide Content]

--- mantis-orig/core/session_api.php.orig	2008-08-13 01:58:06.000000000 +0200
+++ mantis-1/core/session_api.php	2008-08-13 01:58:30.000000000 +0200
@@ -49,6 +49,7 @@
  */
 class MantisPHPSession extends MantisSession {
 	function __construct() {
+		if ($_SERVER['HTTPS']) session_set_cookie_params( 0, '/', '', true, true );
 		session_start();
 		$this->id = session_id();
 	}

mantis-securesession-1.2.diff [^] (360 bytes) 2008-08-12 20:12 [Show Content] [Hide Content]

--- mantis-1.2.0a2/core/session_api.php	2008-07-30 14:00:15.000000000 +0200
+++ mantis-1.2.0a2-1/core/session_api.php	2008-08-13 02:05:32.000000000 +0200
@@ -56,6 +56,7 @@
 		}
 
 		session_cache_limiter( 'private_no_expire' );
+		if ($_SERVER['HTTPS']) session_set_cookie_params( 0, '/', '', true, true );
 		session_start();
 		$this->id = session_id();
 	}

Relationships

related to

0009533

closed

jreese

Mantis should use secure sessions on https connections

Notes
(0019140) grangeway (developer) 2008-08-13 05:22	@@ -56,6 +56,9 @@ } session_cache_limiter( 'private_no_expire' ); + if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { + session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), true, true ); + } session_start(); $this->id = session_id(); } Commited to TRUNK for inclusion in next 1.2 alpha release.

Issue History
Date Modified	Username	Field	Change
2008-08-12 20:12	hanno	New Issue
2008-08-12 20:12	hanno	File Added: mantis-securesession-1.1.diff
2008-08-12 20:12	hanno	File Added: mantis-securesession-1.2.diff
2008-08-13 05:22	grangeway	Note Added: 0019140
2008-08-13 08:57	jreese	Issue cloned: 0009533
2008-08-13 08:57	jreese	Relationship added	related to 0009533
2008-08-13 08:58	jreese	Assigned To	=> grangeway
2008-08-13 08:58	jreese	Status	new => resolved
2008-08-13 08:58	jreese	Resolution	open => fixed
2008-08-13 08:58	jreese	Fixed in Version	=> 1.2.2
2008-08-13 08:58	jreese	Target Version	=> 1.2.2
2008-10-09 13:30	giallu	View Status	private => public
2008-12-30 22:00	jreese	Fixed in Version	1.2.2 => 1.2.0a3
2008-12-30 22:06	jreese	Target Version	1.2.2 => 1.2.0a3
2009-01-15 11:25	jreese	Status	resolved => closed

MantisBT 1.2.16dev master-1.2.x-05091f5 [^]

Time: 0.0652 seconds.
memory usage: 2,812 KB