medium
6.8
CWE
74
Advisory Published
Updated

GHSA-hg9j-64wp-m9px

First published: Wed Mar 12 2025(Updated: )

## **Summary** A session hijacking vulnerability exists when an attacker-controlled **authoritative subdomain** under a parent domain (e.g., `subdomain.host.com`) sets cookies scoped to the parent domain (`.host.com`). This allows session token replacement for applications hosted on sibling subdomains (e.g., `community.host.com`) if session tokens aren't rotated post-authentication. **Key Constraints**: - Attacker must control **any subdomain** under the parent domain (e.g., `evil.host.com` or `x.y.host.com`). - Parent domain must **not** be on the [Public Suffix List](https://publicsuffix.org/). Due to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to be exploitable as described. --- ## **Proof of Concept (Deno)** ```ts Deno.serve({ port: 8000, // default hostname: 'localhost', onListen: (o) => console.log(`Server started at http://${o.hostname}:${o.port}`, o), }, async (req) => (console.log(req), new Response( `You've been served! You came from ${req.headers.get('referer')}`, { //status: 302, // would redirect user to page they came from status: 200, headers: { 'set-cookie': 'session_cookie=mytoken; Domain=.deno.dev; Secure; HttpOnly', 'location': req.headers.get('referer') } } )) ); ``` ### **Attack Flow** 1. **Attacker Setup**: Hosts server at `evil.host.com`. 2. **Harvest Session Token**: Attacker visits `community.host.com` to get a session token for himself to replace the victim's token with his own. 3. **Victim Interaction**: User clicks link to `https://evil.host.com`. 4. **Cookie Override**: Server sets cookie with `Domain=.host.com` and the harvested token from step 2. 5. **Session Hijacking**: Victim's future requests to `community.host.com` use attacker's token. --- ## **Why Reverse DNS Subdomains Fail** Browsers block cookie setting for parent domains unless: 1. **Authoritative Subdomain**: Server must belong to a direct child domain (e.g., `a.host.com`, not `x.y.host.com`). 2. **Public Suffix Exclusion**: If `host.com` is on the Public Suffix List (e.g., like `github.io`), browsers block cross-subdomain cookies. **Example**: - ❌ `123.cust.dynamic.host.com` → Cannot set `Domain=.host.com`. - ✅ `evil.host.com` → Can set `Domain=.host.com` (if not on PSL). --- ## **Browser Security Behavior** ### 1. **Cookie Domain Validation** Per [RFC 6265 §5.3](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3): > Cookies can only be set for domains the server is authoritative for. ### 2. **Public Suffix List (PSL)** Domains like `host.com` on the PSL trigger browser protections: > Subdomains of PSL-listed domains cannot set cookies for parent domains. **Verification**: - Check PSL status: https://publicsuffix.org/list/ --- ## **Impact** - **Account Takeover**: Attacker gains authenticated session access. - **Data Exposure**: Email, private messages, and other personal data exposed. - **Exploitable Only If**: - Parent domain is **not** PSL-listed. - Attacker controls **direct child subdomain** (e.g., `evil.host.com`). --- ## **Remediation** 1. **Session Token Rotation**: ```ts // After authentication: invalidateOldSession(); const newToken = generateToken(); ``` 2. **Cookie Scoping (already in place)**: ```ts // Restrict cookies to explicit subdomain: "Set-Cookie": "session=token; Domain=community.host.com; Secure; HttpOnly; SameSite=Lax"; ``` 3. **Public Suffix Registration**: Add `host.com` to the Public Suffix List via [PSL Submission](https://publicsuffix.org/submit/). --- ## **Revised Vulnerability Criteria** **Prerequisites**: - Attacker controls authoritative subdomain (e.g., `evil.host.com`). - Parent domain (`host.com`) is **not** PSL-listed. - Session tokens persist post-authentication. --- ## **References** - [RFC 6265: HTTP Cookie Handling](https://tools.ietf.org/html/rfc6265) - [Public Suffix List](https://publicsuffix.org/)

Affected SoftwareAffected VersionHow to fix
composer/flarum/framework<1.8.10
1.8.10
composer/flarum/core<1.8.10
1.8.10

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of GHSA-hg9j-64wp-m9px?

    The severity of GHSA-hg9j-64wp-m9px is high due to the potential for session hijacking.

  • How do I fix GHSA-hg9j-64wp-m9px?

    To fix GHSA-hg9j-64wp-m9px, you should update to Flarum framework or core version 1.8.10 or later.

  • Which software is affected by GHSA-hg9j-64wp-m9px?

    GHSA-hg9j-64wp-m9px affects Flarum framework versions below 1.8.10.

  • What kind of attack is associated with GHSA-hg9j-64wp-m9px?

    GHSA-hg9j-64wp-m9px is associated with session hijacking attacks that exploit cookie scoping.

  • What is the main vulnerability of GHSA-hg9j-64wp-m9px?

    The main vulnerability of GHSA-hg9j-64wp-m9px allows cookies set by an attacker-controlled subdomain to replace session tokens on sibling applications.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203