2014-12-19 07:55 EST

View Issue Details Jump to Notes ] Wiki ]
IDProjectCategoryView StatusLast Update
0009524mantisbtsecuritypublic2009-01-15 11:25
Reporterhanno 
Assigned Tograngeway 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
Product Version1.2.0a2 
Target Version1.2.0a3Fixed in Version1.2.0a3 
Summary0009524: Mantis should use secure sessions on https connections
DescriptionRecently an issue with session cookies got some public attention:
http://www.heise.de/security/Ausspioniert-trotz-Verschluesselung--/news/meldung/114141 [^]

(in german)

The problem is, if a site uses https only, but the user one time calls a http-url, the cookie is transferred unencrypted.

Mantis is vulnerable to that issue, the solution is to set the session cookies to be only used secure if the app is running on ssl. I've attached patches for both mantis 1.1 and 1.2.

As I'd consider this a security issue, I've assigned CVE-2008-3102 to it.
TagsNo tags attached.
Attached Files
  • diff file icon mantis-securesession-1.1.diff (378 bytes) 2008-08-12 20:12 - 
    --- mantis-orig/core/session_api.php.orig	2008-08-13 01:58:06.000000000 +0200
    +++ mantis-1/core/session_api.php	2008-08-13 01:58:30.000000000 +0200
    @@ -49,6 +49,7 @@
      */
     class MantisPHPSession extends MantisSession {
     	function __construct() {
    +		if ($_SERVER['HTTPS']) session_set_cookie_params( 0, '/', '', true, true );
     		session_start();
     		$this->id = session_id();
     	}
    
    diff file icon mantis-securesession-1.1.diff (378 bytes) 2008-08-12 20:12 + 
  • diff file icon mantis-securesession-1.2.diff (360 bytes) 2008-08-12 20:12 - 
    --- mantis-1.2.0a2/core/session_api.php	2008-07-30 14:00:15.000000000 +0200
    +++ mantis-1.2.0a2-1/core/session_api.php	2008-08-13 02:05:32.000000000 +0200
    @@ -56,6 +56,7 @@
     		}
     
     		session_cache_limiter( 'private_no_expire' );
    +		if ($_SERVER['HTTPS']) session_set_cookie_params( 0, '/', '', true, true );
     		session_start();
     		$this->id = session_id();
     	}
    
    diff file icon mantis-securesession-1.2.diff (360 bytes) 2008-08-12 20:12 + 

- Relationships
related to 0009533closedjreese Mantis should use secure sessions on https connections 
+ Relationships

-  Notes
User avatar

~0019140

grangeway (reporter)

@@ -56,6 +56,9 @@
         }
 
         session_cache_limiter( 'private_no_expire' );
+ if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
+ session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), true, true );
+ }
         session_start();
         $this->id = session_id();
     }

Commited to TRUNK for inclusion in next 1.2 alpha release.
+  Notes

- Issue History
Date Modified Username Field Change
2008-08-12 20:12 hanno New Issue
2008-08-12 20:12 hanno File Added: mantis-securesession-1.1.diff
2008-08-12 20:12 hanno File Added: mantis-securesession-1.2.diff
2008-08-13 05:22 grangeway Note Added: 0019140
2008-08-13 08:57 jreese Issue cloned: 0009533
2008-08-13 08:57 jreese Relationship added related to 0009533
2008-08-13 08:58 jreese Assigned To => grangeway
2008-08-13 08:58 jreese Status new => resolved
2008-08-13 08:58 jreese Resolution open => fixed
2008-08-13 08:58 jreese Fixed in Version => 1.2.2
2008-08-13 08:58 jreese Target Version => 1.2.2
2008-10-09 13:30 giallu View Status private => public
2008-12-30 22:00 jreese Fixed in Version 1.2.2 => 1.2.0a3
2008-12-30 22:06 jreese Target Version 1.2.2 => 1.2.0a3
2009-01-15 11:25 jreese Status resolved => closed
+ Issue History