Persistent cookies - Powa
Kamal-Villupuram opened this issue · 34 comments
Hi,
We see cookies remains when browser is closed but without logging off from Powa url and it reuses the same cookies and allowed to relogin without any credentials once reopen the browser.
Its a big security issue. Please advise how to make this cookies expired or disable it completes once browser tab is closed.
Thanks
Hi,
I totally agree. There's no configuration option for cookie expiration in powa right now, so the cookies are either cleared with the tornado default behavior (30 days expiration) or when explicitly logging out.
Would you be ok with this new option in the powa-web.conf file:
cookie_expiration=XXX
where XXX can either be None or an integer for the number of days for expliration?
None means a session cookie. Note that I think that such cookies are removed when the browser is closed, not when the tab is closed. As far as I know there aren't any feature available to delete cookie when tabs are closed, but some extensions allow it.
Hi
Yes. It should be good like true or false and with additional cookies_age parameter if someone wants cookies expiration set to false.
I think we should have a single parameter, but maybe named in a less confusing way? Having 2 paremeters can lead to less friend ly behavior (which one should have priority in case they are set in incompatible way, or should it raise an error...).
The true/false behavior would be inferred from having a not None or not 0 value. Do you have a better suggestion for the parameter name?
Also, do you have some arguments on what the default value should be?
Am good on single parameter aswell as long as cookies get expired immediately on browser close.
Something like below?
Cookie_expire_at_browser_close
What I want is a configuration option that serves for both what you want and what other people may want, which can be "live longer than the browser but something different than 30 days". I'll go ahead and implement a cookie_expires_day, to try to follow what tornado is using, with some comments explaining how to configure it.
Thanks for quick update. We got some security findings on this and have to close by this week. May I know when we can expect the bug fix?
I just pushed a new branch with a fix: powa-team/powa-web@5ef10e8
If you can text it and confirm than setting the new cookie_expires_days=0 option has the behavior you want I can release it today.
Note that I have no control on when upstream packages will be updated.
Thanks. I updated the branch and set cookie_expires_days=0 and restarted the powa-web. But still cookie retention show 30days in chrome browser. Can you test in chrome and confirm pls?
Did you logout and login again? The cookies are only set when authentication is done (otherwise any non-0 expiration would be virtually infinite).
Thanks a lot. It works well in chrome.
Great! Do you have anything else to test or any other concern or should I release a new version now?
Two more security concerns. Below components are older and identified as vulnerable. Is it possible to upgrade to latest version?
Current version of jQuery, v1.11.2 and latest version is jQuery is v3.6.0 released March 02, 2021
Current version Tornado, v4.0 and latest version is Tornado is v6.1, released October, 30, 2020
Current version of jQuery, v1.11.2 and latest version is jQuery is v3.6.0 released March 02, 2021
I'll try to update it but will take some time (I'm not a web developer).
Current version Tornado, v4.0 and latest version is Tornado is v6.1, released October, 30, 2020
I don't understand this one. powa-web doesn't ship tornado. It should be compatible with any version >= 2.0, so you're free to use the version you want. If you hit any problem with a recent version, I'll of course fix it.
Sure. If you can fix before end of this month, it would be very helpful.
Thanks again. Much appreciated.
Thanks. For the record the SSL certificate of https://jquery.com/ has apparently been revoked, so I can't even get the latest version.
Sorry..couldnt understand it. I can see latest version.
Yes the certificate has been update since. I could download the last version of jquery, I'm not trying (and failing) to compile the js resources. As I said I'm not a web developer so bower, grunt... are black voodoo for me.
Hi,
The security team has concerns that the current version of jquery (2.1.4) used by PoWA is vulnerable to cross-site scripting and prototype pollution. It will be a challenge for us to go Live with Powa in Production with this vulnerability.
It will be really helpful if you can download the latest version of jquery in your Lab environment and verify if it is compatible with Powa.
Thanks
Hari
I tried the latest version of jquery, and unfortunately it's incompatible with at least the version of foundation we use, as jquery 3 removed some aliases (jquery/jquery#2286). We use foundation 5.5.3, which is the latest version for the 5.x. I didn't try to switch to foundation 6, but looking at https://stackoverflow.com/questions/36558589/work-needed-to-upgrade-zurb-foundation-v5-to-v6-2 it's not an easy task.
As I said, I'm not a web developer and I don't have the knowledge to make this happen. Unless someone is willing to work on this I unfortunately don't think it will happen. I'm really sorry.
After some discussion with @rdunklau and @marco44 we chose to postpone the update of the JS dependencies.
The reason for that is that unfortunately the current tools used to handle dependencies are outdated, broken and unmaintained. It also seems that the JS world is currently changing how script imports should be done with a new standard, so it seems like a bad timing to change that in powa-web as we need to rework how we build and ship JS entirely, and want to make sure we don't bet on tools which will disappear a few years down the line.
On the other hand, given the nature of powa-web, the security issues that exist with jQuery and other dependency are not critical. So our plan is to keep an issue opened in the powa-web project to make sure we won't forget to eventually fix the outdated JS lib dependencies when the new standard will be settled.
About the original issue, I pushed the commit to add the cookie_expires_days configuration on the master branch. I plan to release it as soon as the fix for powa-team/powa-web#141 is validated and merged too.
Thanks. But one security issue identified on the cookies as below. Cookies are reused within 15mins(B2C) and gain access to the POWA. Can you please fix the session cookies also logout immediately when user logged off.
Summary
The application does not properly terminate user sessions when users manually log out of the
application.
Impact
An attacker who manages to gain access to the user's browser, or who can otherwise discover the
user's session token, will be able to gain access to the user's authenticated session even after the
user has logged off.
Users may have a false sense of security that their authenticated sessions have been rendered
unusable after logging off when this is not the case.
Details
The application uses a combination of the "username", "password" and "server" cookies for session
management. These cookies were found to be valid after the user logs out of the application
Remediation Recommendations
Ensure user sessions are properly terminated by the application server when users logs out of the
application
@Kamalbharath I don't understand your report. I just checked and the cookies are removed from the browser and you explicitly logout, whether it's session cookie or not.
Can you share a complete scenario (powa-web configuration, action on the UI...) where the cookies are not removed when you log off?
I tried Copying the cookies("username", "password" and "server") like below manually and logout of the browser and try to keyin the cookies manually which allowed the access without any credentials. So report says cookies should be removed immediately even those cookies are hacked within 15mins(B2C) time once user logged off.
"2|1:0|10:1626945084|8:username|12:a2FtYmhhcmE=|4119b5741c7cbb4e8d5efb17fa5c7362955ecc5ca08e60ab2b9ad80d03bec914"
"2|1:0|10:1626945084|8:password|16:Uml5YXpfMTk3NQ==|b57cd3ca957eb3b668d1640c5ede639d5d8c40de67a892b72c6c15b0daa200f5"
"2|1:0|10:1626945084|6:server|8:bWFpbg==|592bd5a757db9c5dae5e229a92285660b62ebc8a7f6fc8453e55ca405c615fc3"
I don't understand. Those cookie will store the encrypted credential. The encryption only prevents you from knowing the content, as the key is only known by the server, but for the client it's still a direct access to authentication and thus privileged information.
How is your scenario any different from "someone used my computer when I was in the toilet"?
yes, those are raised from hacking point of view for all web applications.
So, are you saying that you agree it's not a security issue as it isn't something that can be addressed by any web app?
This report was send to us by security team and has to be remediated.
I still don't understand the scenario. Apart from the fact that it's relying on the your desktop being compromised, which is already a problem, removing a cookie doesn't make its former content invalid.
So report says cookies should be removed immediately even those cookies are hacked within 15mins(B2C) time once user logged off.
Are you saying that if you log off and immediately (not after 15 minutes) re-inject the cookie you shouldn't be able to authenticate? That's impossible to do, powa-web doesn't store any information and rely on the cookies and only the cookies for authentication. We could make the password expire after X days of inactivity but nothing less than a day I think, as tornado doesn't support it.
has to be remediated.
I don't think that what you asked for can be implemented, but if you disagree feel free to send a patch.
This is regarding the Tornado version earlier asked, that the current version we have is Tornado, v4.0 which is old and vulnerable.
I tried to download and compile 6.1 but running into errors.
Downloaded tornado-6.1.0.tar.gz from https://github.com/tornadoweb/tornado/releases
tar -xvzf /tmp/tornado-6.1.0.tar.gz
[root@xx ~]# cd /pgbin/powa/tornado-6.1.0
[root@xx tornado-6.1.0]# python setup.py build
/usr/lib64/python2.7/distutils/dist.py:267: UserWarning: Unknown distribution option: 'python_requires'
warnings.warn(msg)
running build
running build_py
package init file 'tornado/test/init.py' not found (or not a regular file)
running build_ext
building 'tornado.speedups' extension
gcc -pthread -fno-strict-aliasing -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -I/usr/include/python2.7 -c tornado/speedups.c -o build/temp.linux-x86_64-2.7/tornado/speedups.o
tornado/speedups.c:59:15: error: variable ‘speedupsmodule’ has initializer but incomplete type
static struct PyModuleDef speedupsmodule = {
^
tornado/speedups.c:60:4: error: ‘PyModuleDef_HEAD_INIT’ undeclared here (not in a function)
PyModuleDef_HEAD_INIT,
^
tornado/speedups.c:60:4: warning: excess elements in struct initializer [enabled by default]
tornado/speedups.c:60:4: warning: (near initialization for ‘speedupsmodule’) [enabled by default]
tornado/speedups.c:61:4: warning: excess elements in struct initializer [enabled by default]
"speedups",
^
tornado/speedups.c:61:4: warning: (near initialization for ‘speedupsmodule’) [enabled by default]
tornado/speedups.c:62:4: warning: excess elements in struct initializer [enabled by default]
NULL,
^
tornado/speedups.c:62:4: warning: (near initialization for ‘speedupsmodule’) [enabled by default]
tornado/speedups.c:63:4: warning: excess elements in struct initializer [enabled by default]
-1,
^
tornado/speedups.c:63:4: warning: (near initialization for ‘speedupsmodule’) [enabled by default]
tornado/speedups.c:65:1: warning: excess elements in struct initializer [enabled by default]
};
^
tornado/speedups.c:65:1: warning: (near initialization for ‘speedupsmodule’) [enabled by default]
tornado/speedups.c: In function ‘PyInit_speedups’:
tornado/speedups.c:69:5: warning: implicit declaration of function ‘PyModule_Create’ [-Wimplicit-function-declaration]
return PyModule_Create(&speedupsmodule);
^
tornado/speedups.c:69:5: warning: ‘return’ with a value, in function returning void [enabled by default]
command 'gcc' failed with exit status 1
setup.py:106: UserWarning:
WARNING: The tornado.speedups extension module could not
be compiled. No C extensions are essential for Tornado to run,
although they do result in significant speed improvements for
websockets.
The output above this warning shows how the compilation failed.
Here are some hints for popular operating systems:
If you are seeing this message on Linux you probably need to
install GCC and/or the Python development package for your
version of Python.
Debian and Ubuntu users should issue the following command:
$ sudo apt-get install build-essential python-dev
RedHat and CentOS users should issue the following command:
$ sudo yum install gcc python-devel
Fedora users should issue the following command:
$ sudo dnf install gcc python-devel
MacOS users should run:
$ xcode-select --install
"The output above "
[root@sl73pgtldbp002 tornado-6.1.0]#
Note that gcc and python-devel packages are already installed.
Please advise how to compile and proceed further so that powa-web can use the latest version of Tornado.
Thanks
Hari
Hi @hrawulwa
What operating system are you using, and which version is it?
Note that I don't experience any problem locally:
$ cd tornado-6.1.0
$ python setup.py build
running build
running build_py
creating build
creating build/lib.linux-x86_64-3.9
creating build/lib.linux-x86_64-3.9/tornado
copying tornado/wsgi.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/websocket.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/web.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/util.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/testing.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/template.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/tcpserver.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/tcpclient.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/simple_httpclient.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/routing.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/queues.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/process.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/options.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/netutil.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/log.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/locks.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/locale.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/iostream.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/ioloop.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/httputil.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/httpserver.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/httpclient.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/http1connection.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/gen.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/escape.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/curl_httpclient.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/concurrent.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/autoreload.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/auth.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/_locale_data.py -> build/lib.linux-x86_64-3.9/tornado
copying tornado/__init__.py -> build/lib.linux-x86_64-3.9/tornado
package init file 'tornado/test/__init__.py' not found (or not a regular file)
creating build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/wsgi_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/websocket_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/web_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/util_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/util.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/twisted_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/testing_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/template_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/tcpserver_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/tcpclient_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/simple_httpclient_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/runtests.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/routing_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/resolve_test_helper.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/queues_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/process_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/options_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/netutil_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/log_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/locks_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/locale_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/iostream_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/ioloop_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/import_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/httputil_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/httpserver_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/httpclient_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/http1connection_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/gen_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/escape_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/curl_httpclient_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/concurrent_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/autoreload_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/auth_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/asyncio_test.py -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/__main__.py -> build/lib.linux-x86_64-3.9/tornado/test
creating build/lib.linux-x86_64-3.9/tornado/platform
copying tornado/platform/twisted.py -> build/lib.linux-x86_64-3.9/tornado/platform
copying tornado/platform/caresresolver.py -> build/lib.linux-x86_64-3.9/tornado/platform
copying tornado/platform/asyncio.py -> build/lib.linux-x86_64-3.9/tornado/platform
copying tornado/platform/__init__.py -> build/lib.linux-x86_64-3.9/tornado/platform
copying tornado/py.typed -> build/lib.linux-x86_64-3.9/tornado
creating build/lib.linux-x86_64-3.9/tornado/test/csv_translations
copying tornado/test/csv_translations/fr_FR.csv -> build/lib.linux-x86_64-3.9/tornado/test/csv_translations
creating build/lib.linux-x86_64-3.9/tornado/test/gettext_translations
creating build/lib.linux-x86_64-3.9/tornado/test/gettext_translations/fr_FR
creating build/lib.linux-x86_64-3.9/tornado/test/gettext_translations/fr_FR/LC_MESSAGES
copying tornado/test/gettext_translations/fr_FR/LC_MESSAGES/tornado_test.mo -> build/lib.linux-x86_64-3.9/tornado/test/gettext_translations/fr_FR/LC_MESSAGES
copying tornado/test/gettext_translations/fr_FR/LC_MESSAGES/tornado_test.po -> build/lib.linux-x86_64-3.9/tornado/test/gettext_translations/fr_FR/LC_MESSAGES
copying tornado/test/options_test.cfg -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/options_test_types.cfg -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/options_test_types_str.cfg -> build/lib.linux-x86_64-3.9/tornado/test
creating build/lib.linux-x86_64-3.9/tornado/test/static
copying tornado/test/static/robots.txt -> build/lib.linux-x86_64-3.9/tornado/test/static
copying tornado/test/static/sample.xml -> build/lib.linux-x86_64-3.9/tornado/test/static
copying tornado/test/static/sample.xml.gz -> build/lib.linux-x86_64-3.9/tornado/test/static
copying tornado/test/static/sample.xml.bz2 -> build/lib.linux-x86_64-3.9/tornado/test/static
creating build/lib.linux-x86_64-3.9/tornado/test/static/dir
copying tornado/test/static/dir/index.html -> build/lib.linux-x86_64-3.9/tornado/test/static/dir
copying tornado/test/static_foo.txt -> build/lib.linux-x86_64-3.9/tornado/test
creating build/lib.linux-x86_64-3.9/tornado/test/templates
copying tornado/test/templates/utf8.html -> build/lib.linux-x86_64-3.9/tornado/test/templates
copying tornado/test/test.crt -> build/lib.linux-x86_64-3.9/tornado/test
copying tornado/test/test.key -> build/lib.linux-x86_64-3.9/tornado/test
running build_ext
building 'tornado.speedups' extension
creating build/temp.linux-x86_64-3.9
creating build/temp.linux-x86_64-3.9/tornado
x86_64-pc-linux-gnu-gcc -pthread -fPIC -I/usr/include/python3.9 -c tornado/speedups.c -o build/temp.linux-x86_64-3.9/tornado/speedups.o
x86_64-pc-linux-gnu-gcc -pthread -shared -Wl,-O1 -Wl,--as-needed build/temp.linux-x86_64-3.9/tornado/speedups.o -L/usr/lib64 -o build/lib.linux-x86_64-3.9/tornado/speedups.cpython-39-x86_64-linux-gnu.so
Hi,
Below is OS and version.
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
Thanks
Hari
Well, RHEL 7.9 full support ended in August 2019 and is now waiting for end of maintenance supports 2 (https://access.redhat.com/product-life-cycles?product=Red%20Hat%20Enterprise%20Linux,OpenShift%20Container%20Platform%204).
You might be able to fix your toolchain and/or find up to date RPM somewhere and/or use pip packages, but if you really care about security the right move would probably be to switch to a fully supported distribution, as pretty much everything else on your box will also be long outdated.
In any case I'm not a heavy RHEL user and updating random dependencies is out of scope of this project, so if none of the suggestion above works you should ask that question directly to RHEL support.
Thank you. Can you please confirm if Powa uses Websocket?
As per our security team, this version of Tornado (v4.0) seem to affect only Websocket code with respect to vulnerabilities.
If it doesn't use Websocket, we are good.
Please confirm.
Thanks
Hari
Hi,
I confirm that powa-web does not use WebSockets. You can also double verify that by grep-ping tornado.websocket in the source code (https://www.tornadoweb.org/en/stable/websocket.html).