Problem/Motivation

Drupal core has a potential information disclosure or session hijacking vulnerability.

Affects 7 and 8 (and likely 6, didn't check)

The session cookies and other cookies do not have a path set on them when Drupal is installed in a subdir. Because of this, the cookies will be sent to other applications served from the same domain.

Original STR involve a cookie Drupal.visitor, but it looks like this also affects the session cookie set form PHP and possibly others.

Drupal.visitor cookies are set with "/" as the path, whereas this should be set to the actual root of the Drupal installation. If Drupal is installed in a subfolder (e.g. https://example.com/my-drupal-8), then the Drupal.visitor cookies are also accessible to the website https://example.com and other subsites.

If a module uses user_cookie_save to save data about the visitor, then this data might get disclosed outside of the current website.

function user_cookie_save(array $values) { 
 foreach ($values as $field => $value) { 
  // Set cookie for 365 days. 
    setrawcookie('Drupal.visitor.' . $field, rawurlencode($value), REQUEST_TIME + 31536000, '/'); 
  } 
}

Reported via the Drupal 8 security bug bounty. Approved by Drupal Security Team for public disclosure.

https://tracker.bugcrowd.com/submissions/c7ec824ef62c270a682c80a445e488f...

Reported by https://www.drupal.org/u/lva

Proposed resolution

In PHP and JS, set the site's base path as the cookie path when setting any cookie.

Remaining tasks

Postponed on #2529170: [PP-1] Remove DrupalKernel::initializeRequestGlobals and replace base_root, base_url and base_path with a service
decide on strategy
create patch
create tests
review

User interface changes

none

API changes

small change in cookie settings behavior

Data model changes

none

CommentFileSizeAuthor
#4 session_and_other-2515054-4.patch4.08 KBznerol

Comments

pwolanin’s picture

pwolanin commented
Issue summary: View changes
lva’s picture

lva commented

I reported this bug.
I can confirm that the issue also applies to session cookies.

I'm not sure if a function already exists that returns the path in which Drupal is installed. If not, the following code may be used:

// strrpos — Find the position of the last occurrence of a substring in a string.
$pos = strrpos($_SERVER["PHP_SELF"], "/");
if ($pos === false) {
  $cookie_path = "/";
} else {
  $cookie_path = substr($_SERVER["PHP_SELF"], 0, $pos + 1);
}

Please note that the code is a bit more advanced than just stripping the "index.php" since an administrator may rename index.php to something else.

pwolanin’s picture

pwolanin commented
Issue summary: View changes
znerol’s picture

znerol commented
Status: Active » Needs review
Issue tags: +D8 Accelerate London
StatusFileSize
new session_and_other-2515054-4.patch4.08 KB
znerol’s picture

znerol commented

Not sure how to test user_cookie_save(). But since there is coverage for SessionConfiguration, I believe this is okay.

Nevertheless this issue should be also tested manually with a site installed in a subdirectory. The session cookie is set upon login, and a Drupal.visitor cookie can be obtained e.g. drupal/admin/index and toggling the descriptions.

Status: Needs review » Needs work

The last submitted patch, 4: session_and_other-2515054-4.patch, failed testing.

znerol’s picture

znerol commented

Regrettably the installer no longer logs in the user because the session cookie now has a base url relative to the installer (i.e. /core instead of /).

We have the following options now:

  1. Revert to global $base_path where /core is stripped away from within DrupalKernel::initializeRequestGlobals().
  2. Provide some mechanism which is capable of returning the base url / base path relative to the application root.
  3. Munge the request parameters in the special front-controllers under core in a similar way as the http.php/https.php test frontcontrollers do.
znerol’s picture

znerol commented

Filed #2529170: [PP-1] Remove DrupalKernel::initializeRequestGlobals and replace base_root, base_url and base_path with a service which provides a base path also working for front controllers nested deeply in the source tree.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Related issues: +#2515054: [PP-1] Session and other cookies may leak to other apps when Drupal is in a subdirectory
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Title: Session and other cookies may leak to other apps when Drupal is in a subdirectory » [PP-1] Session and other cookies may leak to other apps when Drupal is in a subdirectory
Issue summary: View changes
Status: Needs work » Postponed
Related issues: -#2515054: [PP-1] Session and other cookies may leak to other apps when Drupal is in a subdirectory +#2529170: [PP-1] Remove DrupalKernel::initializeRequestGlobals and replace base_root, base_url and base_path with a service

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.