Miggo Logo

CVE-2018-25060: Macaron csrf missing encryption and has sensitive cookies in HTTP session without secure attribute

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.12269%
Published
12/30/2022
Updated
3/1/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/go-macaron/csrfgo< 0.0.0-20180426211050-dadd1711a6170.0.0-20180426211050-dadd1711a617

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the pre-patch implementation in csrf.go where ctx.SetCookie was called with a hardcoded 'false' for the secure parameter (6th argument). The Options struct contained a Secure flag that was not being utilized in this call, making it impossible to set secure cookies even when configured. The commit dadd171 specifically fixes this by replacing 'false' with opt.Secure in the Generate handler. This function is directly responsible for cookie generation and was the focal point of the vulnerability as shown in the diff and commit message.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in M***ron *sr* *n* *l*ssi*i** *s pro*l*m*ti*. *****t** *y t*is issu* is som* unknown *un*tion*lity o* t** *il* `*sr*.*o`. T** m*nipul*tion o* t** *r*um*nt **n*r*t* l***s to s*nsitiv* *ooki* wit*out s**ur* *ttri*ut*. T** *tt

Reasoning

T** vuln*r**ility st*ms *rom t** pr*-p*t** impl*m*nt*tion in `*sr*.*o` w**r* `*tx.S*t*ooki*` w*s **ll** wit* * **r**o*** '**ls*' *or t** s**ur* p*r*m*t*r (*t* *r*um*nt). T** Options stru*t *ont*in** * S**ur* *l** t**t w*s not **in* utiliz** in t*is *