In the 'page' HTML file, the value of the 'unique_id' cookie is controlled by the user_login field. If the user_login field is controlled by an attacker, it may be possible to inject arbitrary HTML code into the page. This will be stored as the value of the 'unique_id' cookie, and thus be returned by GET requests to the '/' resource. For example, an attacker may be able to steal the cookie of another user by injecting the following code into the 'page' resource: input id="user_login" type="text" value="script>alert('Stolen cookie!')/script>" />

Mitigation

The 'unique_id' cookie should not be trusted by applications.

Vulnerability summary

An attacker who is able to inject arbitrary HTML code into the 'page' resource can steal the cookie of another user.
It's possible for an attacker to steal the cookie of another user by injecting arbitrary HTML code into a resource and then returning this value in a GET request to /.

Overview

This vulnerability is caused by the 'page' resource's use of a cookie with a value controlled by an attacker. Cookies are text-based identifiers that are sent from a server to a browser, and then sent back to the server when the next request is made. They can be used to track individual users or groups of users as well as establish sessions (a unique identity for browsing).
In this vulnerability, an attacker may be able to steal cookies of another user by injecting code into the 'page' resource. This will result in a change in the value of the 'unique_id' cookie, and thus be returned by GET requests to the '/' resource.

Summary

The value of the 'unique_id' cookie is controlled by the user_login field. If the user_login field is controlled by an attacker, it may be possible to inject arbitrary HTML code into the page. This will be stored as the value of the 'unique_id' cookie, and thus be returned by GET requests to the '/' resource.
An attacker can steal cookies from other users by injecting the following code: input id="user_login" type="text" value="script>alert('Stolen cookie!')/script>" />

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 12/05/2022 15:15:00 UTC

References