Summary

I notice in a recent pentest done to a Joomla site that Joomla’s session cookies are not set with httpOnly attribute.

The ‘HttpOnly’ attribute prevents access to the cookie from the client browser JavaScript engine and provides some mitigation against XSS attacks. And even though some browsers do not support it, the biggest ones (IE and FF) already do, so I believe it is always a good thing to have it set.
I had a look at Joomla’s session creation to see what could be changed.
Unfortunately there are still many people using version bellow PHP5.2 specially because RHEL is still on 5.1.6
So I came up with the following simple changes that would still work on PHP5.1

File: /libraries/joomla/session/session.php
Line: 424
Find: session_start();
Replace:
// [RG] 20100708 sessioncookie should be set as httpOnly attribute for XSS prevention
$sess_name = session_name();
if (session_start()) {
$cookie = session_get_cookie_params();
header('Set-Cookie: '.$sess_name.'='.session_id()
.(empty($cookie['domain']) ? '' : '; Domain='.$cookie['domain'])
.(empty($cookie['lifetime']) ? '' : '; Max-Age='.$cookie['lifetime'])
.(empty($cookie['path']) ? '' : '; Path='.$cookie['path'])
.(!$cookie['secure'] ? '' : '; Secure')
.'; HttpOnly');
}

Line: 553
Find: session_start();
Replace:
// [RG] 20100708 sessioncookie should be set as httpOnly attribute for XSS prevention
$sess_name = session_name();
if (session_start()) {
$cookie = session_get_cookie_params();
header('Set-Cookie: '.$sess_name.'='.session_id()
.(empty($cookie['domain']) ? '' : '; Domain='.$cookie['domain'])
.(empty($cookie['lifetime']) ? '' : '; Max-Age='.$cookie['lifetime'])
.(empty($cookie['path']) ? '' : '; Path='.$cookie['path'])
.(!$cookie['secure'] ? '' : '; Secure')
.'; HttpOnly');
}
Opened On:
7 Jul 2010, 12:17 by Ricardo Goncalves
Status:
Confirmed

Filed Under

  • Developer
  • Internet Explorer 7.x
  • Joomla! Libraries
  • PHP 5.1.x

Responses

Posted on 1 May 2011, 23:14 by Ricardo Goncalves
Almost 1 year later, and 5 subversions later and this issue still remains open!

Although it is not a major security risk, it is still nevertheless a security issue. And I thought that by pointing out the issue and a solution the Joomla developers would be keen to roll it out.

If the problem is around the code please let me know and I'm more than happy to find a better solution for it
Posted on 12 Jul 2011, 13:57 by Jacob Waisner
Moving to confirmed. If you can create a patch with the needed changes that would be great.
Posted on 2 May 2012, 13:04 by Mark Boos
Again 1 year later (so 2 years after the initial report) with production Joomla 2.5. This vulnerability is still in place though.

The importance of "httpOnly"-cookies is explained by OWASP:
https://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OWASP-SM-002%29

Would be great if either the above solution for php5.1 would be implemented or the php5.2 solution: simply adding a ",1" in the setcookie function.

The setcookie function in php:
http://php.net/manual/en/function.setcookie.php
Posted on 25 Aug 2014, 4:12 by Jonny Roger

There is following pull request for Joomla 2.5.x: https://github.com/joomla/joomla-cms/pull/4153