GHSA-HG9J-64WP-M9PX

Vulnerability from github – Published: 2025-03-12 22:06 – Updated: 2025-03-12 22:06
VLAI?
Summary
Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite
Details

Summary

A session hijacking vulnerability exists when an attacker-controlled authoritative subdomain under a parent domain (e.g., subdomain.host.com) sets cookies scoped to the parent domain (.host.com). This allows session token replacement for applications hosted on sibling subdomains (e.g., community.host.com) if session tokens aren't rotated post-authentication.

Key Constraints:
- Attacker must control any subdomain under the parent domain (e.g., evil.host.com or x.y.host.com).
- Parent domain must not be on the Public Suffix List.

Due to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to be exploitable as described.

Proof of Concept (Deno)

Deno.serve({
    port: 8000, // default
    hostname: 'localhost',
    onListen: (o) => console.log(`Server started at http://${o.hostname}:${o.port}`, o),
  },
  async (req) => (console.log(req), new Response(
    `You've been served! You came from ${req.headers.get('referer')}`,
    {
      //status: 302, // would redirect user to page they came from
      status: 200,
      headers: {
        'set-cookie': 'session_cookie=mytoken; Domain=.deno.dev; Secure; HttpOnly',
        'location': req.headers.get('referer')
      }
    }
  ))
);

Attack Flow

  1. Attacker Setup: Hosts server at evil.host.com.
  2. Harvest Session Token: Attacker visits community.host.com to get a session token for himself to replace the victim's token with his own.
  3. Victim Interaction: User clicks link to https://evil.host.com.
  4. Cookie Override: Server sets cookie with Domain=.host.com and the harvested token from step 2.
  5. Session Hijacking: Victim's future requests to community.host.com use attacker's token.

Why Reverse DNS Subdomains Fail

Browsers block cookie setting for parent domains unless:
1. Authoritative Subdomain: Server must belong to a direct child domain (e.g., a.host.com, not x.y.host.com).
2. Public Suffix Exclusion: If host.com is on the Public Suffix List (e.g., like github.io), browsers block cross-subdomain cookies.

Example:
- ❌ 123.cust.dynamic.host.com → Cannot set Domain=.host.com.
- ✅ evil.host.com → Can set Domain=.host.com (if not on PSL).

Browser Security Behavior

1. Cookie Domain Validation

Per RFC 6265 §5.3:

Cookies can only be set for domains the server is authoritative for.

2. Public Suffix List (PSL)

Domains like host.com on the PSL trigger browser protections:

Subdomains of PSL-listed domains cannot set cookies for parent domains.

Verification:
- Check PSL status: https://publicsuffix.org/list/

Impact

  • Account Takeover: Attacker gains authenticated session access.
  • Data Exposure: Email, private messages, and other personal data exposed.
  • Exploitable Only If:
  • Parent domain is not PSL-listed.
  • Attacker controls direct child subdomain (e.g., evil.host.com).

Remediation

  1. Session Token Rotation:
    ts // After authentication: invalidateOldSession(); const newToken = generateToken();
  2. Cookie Scoping (already in place):
    ts // Restrict cookies to explicit subdomain: "Set-Cookie": "session=token; Domain=community.host.com; Secure; HttpOnly; SameSite=Lax";
  3. Public Suffix Registration:
    Add host.com to the Public Suffix List via PSL Submission.

Revised Vulnerability Criteria

Prerequisites:
- Attacker controls authoritative subdomain (e.g., evil.host.com).
- Parent domain (host.com) is not PSL-listed.
- Session tokens persist post-authentication.

References

Severity ?
6.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "flarum/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "flarum/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-12T22:06:16Z",
    "nvd_published_at": "2025-03-12T14:15:17Z",
    "severity": "MODERATE"
  },
  "details": "## **Summary**  \nA session hijacking vulnerability exists when an attacker-controlled **authoritative subdomain** under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows session token replacement for applications hosted on sibling subdomains (e.g., `community.host.com`) if session tokens aren\u0027t rotated post-authentication.  \n\n**Key Constraints**:  \n- Attacker must control **any subdomain** under the parent domain (e.g., `evil.host.com` or `x.y.host.com`).  \n- Parent domain must **not** be on the [Public Suffix List](https://publicsuffix.org/).\n\nDue to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser\u0027s security measures this does not seem to be exploitable as described.\n\n---\n\n## **Proof of Concept (Deno)**  \n```ts\nDeno.serve({\n    port: 8000, // default\n    hostname: \u0027localhost\u0027,\n    onListen: (o) =\u003e console.log(`Server started at http://${o.hostname}:${o.port}`, o),\n  },\n  async (req) =\u003e (console.log(req), new Response(\n    `You\u0027ve been served! You came from ${req.headers.get(\u0027referer\u0027)}`,\n    {\n      //status: 302, // would redirect user to page they came from\n      status: 200,\n      headers: {\n        \u0027set-cookie\u0027: \u0027session_cookie=mytoken; Domain=.deno.dev; Secure; HttpOnly\u0027,\n        \u0027location\u0027: req.headers.get(\u0027referer\u0027)\n      }\n    }\n  ))\n);\n```\n\n### **Attack Flow**  \n1. **Attacker Setup**: Hosts server at `evil.host.com`.\n2. **Harvest Session Token**: Attacker visits `community.host.com` to get a session token for himself to replace the victim\u0027s token with his own.\n3. **Victim Interaction**: User clicks link to `https://evil.host.com`.  \n4. **Cookie Override**: Server sets cookie with `Domain=.host.com` and the harvested token from step 2.  \n5. **Session Hijacking**: Victim\u0027s future requests to `community.host.com` use attacker\u0027s token.  \n\n---\n\n## **Why Reverse DNS Subdomains Fail**  \nBrowsers block cookie setting for parent domains unless:  \n1. **Authoritative Subdomain**: Server must belong to a direct child domain (e.g., `a.host.com`, not `x.y.host.com`).  \n2. **Public Suffix Exclusion**: If `host.com` is on the Public Suffix List (e.g., like `github.io`), browsers block cross-subdomain cookies.  \n\n**Example**:  \n- \u274c `123.cust.dynamic.host.com` \u2192 Cannot set `Domain=.host.com`.  \n- \u2705 `evil.host.com` \u2192 Can set `Domain=.host.com` (if not on PSL).  \n\n---\n\n## **Browser Security Behavior**  \n### 1. **Cookie Domain Validation**  \nPer [RFC 6265 \u00a75.3](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3):  \n\u003e Cookies can only be set for domains the server is authoritative for.  \n\n### 2. **Public Suffix List (PSL)**  \nDomains like `host.com` on the PSL trigger browser protections:  \n\u003e Subdomains of PSL-listed domains cannot set cookies for parent domains.  \n\n**Verification**:  \n- Check PSL status: https://publicsuffix.org/list/  \n\n---\n\n## **Impact**  \n- **Account Takeover**: Attacker gains authenticated session access.\n- **Data Exposure**: Email, private messages, and other personal data exposed.\n- **Exploitable Only If**:  \n  - Parent domain is **not** PSL-listed.  \n  - Attacker controls **direct child subdomain** (e.g., `evil.host.com`).  \n\n---\n\n## **Remediation**  \n1. **Session Token Rotation**:  \n   ```ts\n   // After authentication:\n   invalidateOldSession();\n   const newToken = generateToken();\n   ```\n2. **Cookie Scoping (already in place)**:  \n   ```ts\n   // Restrict cookies to explicit subdomain:\n   \"Set-Cookie\": \"session=token; Domain=community.host.com; Secure; HttpOnly; SameSite=Lax\";\n   ```\n3. **Public Suffix Registration**:  \n   Add `host.com` to the Public Suffix List via [PSL Submission](https://publicsuffix.org/submit/).  \n\n---\n\n## **Revised Vulnerability Criteria**  \n**Prerequisites**:  \n- Attacker controls authoritative subdomain (e.g., `evil.host.com`).  \n- Parent domain (`host.com`) is **not** PSL-listed.  \n- Session tokens persist post-authentication.  \n\n---\n\n## **References**  \n- [RFC 6265: HTTP Cookie Handling](https://tools.ietf.org/html/rfc6265)  \n- [Public Suffix List](https://publicsuffix.org/)",
  "id": "GHSA-hg9j-64wp-m9px",
  "modified": "2025-03-12T22:06:16Z",
  "published": "2025-03-12T22:06:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/flarum/framework/security/advisories/GHSA-hg9j-64wp-m9px"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27794"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flarum/framework/commit/a05aaea3ee1e0a8b870935183193cd6052f1d402"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/flarum/framework"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flarum/framework/releases/tag/v1.8.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.