Описание
Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite
Summary
A session hijacking vulnerability exists when an attacker-controlled authoritative subdomain under a parent domain (e.g., subdomain.host.com) sets cookies scoped to the parent domain (.host.com). This allows session token replacement for applications hosted on sibling subdomains (e.g., community.host.com) if session tokens aren't rotated post-authentication.
Key Constraints:
- Attacker must control any subdomain under the parent domain (e.g.,
evil.host.comorx.y.host.com). - Parent domain must not be on the Public Suffix List.
Due to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to be exploitable as described.
Proof of Concept (Deno)
Attack Flow
- Attacker Setup: Hosts server at
evil.host.com. - Harvest Session Token: Attacker visits
community.host.comto get a session token for himself to replace the victim's token with his own. - Victim Interaction: User clicks link to
https://evil.host.com. - Cookie Override: Server sets cookie with
Domain=.host.comand the harvested token from step 2. - Session Hijacking: Victim's future requests to
community.host.comuse attacker's token.
Why Reverse DNS Subdomains Fail
Browsers block cookie setting for parent domains unless:
- Authoritative Subdomain: Server must belong to a direct child domain (e.g.,
a.host.com, notx.y.host.com). - Public Suffix Exclusion: If
host.comis on the Public Suffix List (e.g., likegithub.io), browsers block cross-subdomain cookies.
Example:
- ❌
123.cust.dynamic.host.com→ Cannot setDomain=.host.com. - ✅
evil.host.com→ Can setDomain=.host.com(if not on PSL).
Browser Security Behavior
1. Cookie Domain Validation
Per RFC 6265 §5.3:
Cookies can only be set for domains the server is authoritative for.
2. Public Suffix List (PSL)
Domains like host.com on the PSL trigger browser protections:
Subdomains of PSL-listed domains cannot set cookies for parent domains.
Verification:
- Check PSL status: https://publicsuffix.org/list/
Impact
- Account Takeover: Attacker gains authenticated session access.
- Data Exposure: Email, private messages, and other personal data exposed.
- Exploitable Only If:
- Parent domain is not PSL-listed.
- Attacker controls direct child subdomain (e.g.,
evil.host.com).
Remediation
- Session Token Rotation:
// After authentication: invalidateOldSession(); const newToken = generateToken();
- Cookie Scoping (already in place):
// Restrict cookies to explicit subdomain: "Set-Cookie": "session=token; Domain=community.host.com; Secure; HttpOnly; SameSite=Lax";
- Public Suffix Registration:
Addhost.comto the Public Suffix List via PSL Submission.
Revised Vulnerability Criteria
Prerequisites:
- Attacker controls authoritative subdomain (e.g.,
evil.host.com). - Parent domain (
host.com) is not PSL-listed. - Session tokens persist post-authentication.
References
Пакеты
flarum/core
< 1.8.10
1.8.10
flarum/framework
< 1.8.10
1.8.10
Связанные уязвимости
Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10 when an attacker-controlled authoritative subdomain under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows session token replacement for applications hosted on sibling subdomains (e.g., `community.host.com`) if session tokens aren't rotated post-authentication. Key Constraints are that the attacker must control any subdomain under the parent domain (e.g., `evil.host.com` or `x.y.host.com`), and the parent domain must not be on the Public Suffix List. Due to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to be exploitable as described. Version 1.8.10 contains a patch for the issue.