Publication Date:
2022
abstract:
The article provides technical details on a security issue discovered in daloRADIUS (https://github.com/lirantal/daloradius), along with the patch to apply for correcting the issue. In particular, all versions of daloRADIUS prior to the master branch transmit the session cookie (i.e. PHPSESSID) without setting the HttpOnly flag. The problem could cause JavaScript (e.g., using document.cookies) to access the PHPSESSID cookie value on the browser side.
Iris type:
05.12 Altro
Keywords:
cybersecurity; vulnerability; disclosure; cve; patch
List of contributors: