MyBB Community Forums Development MyBB 1.8 Development 1.8 Bugs and Issues Pushed v
[Pushed] mybbuser cookie is set without httponly when changing password

Threaded Mode
[Pushed] mybbuser cookie is set without httponly when changing password
HellaMadMax Offline
Posts: 1
Threads: 1
Joined: Aug 2016
Reputation: 0
#1
2017-03-26, 12:35 AM
When changing your password it updates the mybbuser cookie, but doesn't use the "httponly" parameter like other places do (such as when you login). This results in the mybbuser cookie being able to be accessed from javascript.
[Image: x1LoCYU.png]
Link to line causing issue.
Find
Reply
Devilshakerz Offline

Security

Devops

Web
Posts: 2,220
Threads: 199
Joined: Jun 2011
Reputation: 218
#2
2017-03-26, 12:44 AM
Hi,

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/2705

Thanks for contributing to MyBB!

Regards,
The MyBB Group
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)