The article provides technical details on a security issue discovered in daloRADIUS (https://github.com/lirantal/daloradius), along with the patch to apply for correcting the issue. In particular, all versions of daloRADIUS prior to the master branch transmit the session cookie (i.e. PHPSESSID) without setting the HttpOnly flag. The problem could cause JavaScript (e.g., using document.cookies) to access the PHPSESSID cookie value on the browser side.
Session cookie without 'HttpOnly' Flag in daloRADIUS
F M Lauria
2022
Abstract
The article provides technical details on a security issue discovered in daloRADIUS (https://github.com/lirantal/daloradius), along with the patch to apply for correcting the issue. In particular, all versions of daloRADIUS prior to the master branch transmit the session cookie (i.e. PHPSESSID) without setting the HttpOnly flag. The problem could cause JavaScript (e.g., using document.cookies) to access the PHPSESSID cookie value on the browser side.File in questo prodotto:
Non ci sono file associati a questo prodotto.
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
