Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JS Tracker: set secure flag for _pk_testcookies #15313

Closed
cundd opened this issue Dec 23, 2019 · 2 comments
Closed

JS Tracker: set secure flag for _pk_testcookies #15313

cundd opened this issue Dec 23, 2019 · 2 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.

Comments

@cundd
Copy link
Contributor

cundd commented Dec 23, 2019

The test-cookie is not explicitly set as "secure". This generates a warning with our PCI Security Scan.

THREAT:
The cookie does not contain the "secure" attribute.
IMPACT:
Cookies with the "secure" attribute are only permitted to be sent via HTTPS. Cookies sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user impersonation or compromise of the application account.
SOLUTION:
If the associated risk of a compromised account is high, apply the "secure" attribute to cookies and force all sensitive requests to be sent via HTTPS.
RESULT:
1GEThttps://domain.comSG9ovKg0K_pk_testcookie.11.e5c9=1; path=/; domain=domain.com

A possible fix could be to pass configCookieIsSecure to the setCookie() function.

@@ -3925,7 +3925,7 @@ if (typeof window.Piwik !== 'object') {
 
                 // for IE we want to actually set the cookie to avoid trigger a warning eg in IE see #11507
                 var testCookieName = configCookieNamePrefix + 'testcookie';
-                               setCookie(testCookieName, '1');
+                setCookie(testCookieName, '1', undefined, configCookiePath, configCookieDomain, configCookieIsSecure);

Is this a viable solution? Should I send a PR?
@tsteur
Copy link
Member

tsteur commented Dec 23, 2019

@cundd be great. You probably want to respect the configCookieIsSecure setting when setting the cookie within the hasCookies method.

cundd added a commit to iresults/matomo that referenced this issue Jan 10, 2020
@cundd
Respect cookie config for the test (path, domain, isSecure flag) (mat…
a5645e5 
…omo-org#15313)
cundd added a commit to iresults/matomo that referenced this issue Jan 10, 2020
@cundd
Respect cookie config for the test (path, domain, isSecure flag) (mat…
b3b4815 
…omo-org#15313)
tsteur pushed a commit that referenced this issue Jan 12, 2020
@cundd @tsteur
Respect cookie config for the test (path, domain, isSecure flag) (#15313
3a273bd 
) (#15377)
@cundd
Copy link
Contributor Author

cundd commented Jan 15, 2020

Should be fixed

@cundd cundd closed this as completed Jan 15, 2020
jonasgrilleres pushed a commit to 1024pix/pix-analytics that referenced this issue Sep 22, 2020
@cundd @jonasgrilleres
Respect cookie config for the test (path, domain, isSecure flag) (mat…
c0ac39b 
…omo-org#15313) (matomo-org#15377)
jbuget pushed a commit to 1024pix/pix-analytics that referenced this issue Sep 26, 2020
@cundd @jbuget
Respect cookie config for the test (path, domain, isSecure flag) (mat…
a41bfb7 
…omo-org#15313) (matomo-org#15377)
@mattab mattab changed the title Set secure flag for _pk_testcookies JS Tracker: set secure flag for _pk_testcookies Sep 29, 2020
@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Sep 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tsteur @mattab @cundd