critical vilnerabilities found in traccar

luis salgado6 years ago

Hello all,

Our security engineer scanned tracccar and found these vulnerabilities. We cannot deploy to the public until they are fxied. has anyone come across these issues?

Thanks

CWE-614
CAPEC-21
DISSA_ASC-APP3110
OWASP2007-A1
OWASP2010-A2
OWASP2013-A3
OWASP2017-A7
GDPR12260
Description:
The Secure attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via secure/encrypted connections.

Recommendations:
Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted tunnel. For example, after logging into an application and a session token is set using a cookie, then verify it is tagged using the ";secure" flag. If it is not, then the browser believes it safe to pass via an unencrypted channel such as using HTTP.

CWE-79
CAPEC-21
DISSA_ASC-APP3110
OWASP2007-A1
OWASP2010-A2
OWASP2013-A3
OWASP2017-A7
GDPR12260
Description:
The HttpOnly attribute directs browsers to use cookies via the HTTP protocol only. An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie"), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique).

Recommendations:
If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.

Anton Tananaev6 years ago

Use proxy server in front of Traccar.