User's Sensitive Information is included in Cookies #69
Description
Summary
In the latest version (v3.3.4) of xboot, there are security flaws in the cookie design. Sensitive user information including uid, username, nickname, mobile, email, address, sex, avatar URL, and birthday are all stored in cookies. If these cookies are compromised, attackers can leverage this information to launch more sophisticated attacks such as brute force attacks, social engineering, and phishing.
POC
GET /xboot/permission/getMenuList
Cookie: _ga=GA1.1.1119679874.1749601651; CHAT2DB.USER_ID=2; _ga_V8M4E5SF61=GS2.1.s1749601650$o1$g1$t1749601661$j49$l0$h0; PUBLICCMS_ADMIN=1_98929ca2-feeb-4745-8c8b-83ce96a02974; PUBLICCMS_ANALYTICS_ID=3c11ec88-14ff-4a2d-945e-a76277395bfe; Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1752119531,1752119879,1752126651,1752126882; cms.locale=zh; Hm_lvt_64e52d9ed8f5acc3eb7d60058e2fb7ab=1753156816; Hm_lpvt_64e52d9ed8f5acc3eb7d60058e2fb7ab=1753156816; HMACCOUNT=71B59AD17A941F07; userInfo={%22id%22:%22682265633886208%22%2C%22createBy%22:%22%22%2C%22createTime%22:%222018-05-01%2003:13:51%22%2C%22updateBy%22:%22admin%22%2C%22updateTime%22:%222020-04-30%2004:56:32%22%2C%22delFlag%22:0%2C%22username%22:%22admin%22%2C%22password%22:null%2C%22nickname%22:%22%E7%AE%A1%E7%90%86%E5%91%98%22%2C%22mobile%22:%2218782059031%22%2C%22email%22:%[email protected]%22%2C%22address%22:%22%E5%8C%97%E4%BA%AC%E5%B8%82%2C%E5%B8%82%E8%BE%96%E5%8C%BA%2C%E4%B8%9C%E5%9F%8E%E5%8C%BA%22%2C%22street%22:%22%E5%A4%A9%E5%BA%9C1%E8%A1%97%22%2C%22sex%22:%22%E7%94%B7%22%2C%22passStrength%22:%22%E5%BC%B1%22%2C%22avatar%22:%22https://ooo.0o0.ooo/2019/04/28/5cc5a71a6e3b6.png%22%2C%22type%22:1%2C%22status%22:0%2C%22description%22:%22%E6%88%91%E6%98%AF%E5%A4%A7%E5%B8%85%E9%80%BC%22%2C%22departmentId%22:%2240322777781112832%22%2C%22departmentTitle%22:%22%E6%80%BB%E9%83%A8%22%2C%22birth%22:%222020-04-15%22%2C%22defaultRole%22:null}
decoding the value of userInfo via https://www.urldecoder.org/, we can see the sensitive information of admin's account
{"id":"682265633886208","createBy":"","createTime":"2018-05-01 03:13:51","updateBy":"admin","updateTime":"2020-04-30 04:56:32","delFlag":0,"username":"admin","password":null,"nickname":"管理员","mobile":"18782059031","email":"[email protected]","address":"北京市,市辖区,东城区","street":"天府1街","sex":"男","passStrength":"弱","avatar":"https://ooo.0o0.ooo/2019/04/28/5cc5a71a6e3b6.png","type":1,"status":0,"description":"我是大帅逼","departmentId":"40322777781112832","departmentTitle":"总部","birth":"2020-04-15","defaultRole":null}
