Flarum Session Hijacking Vulnerability via Authoritative Subdomain Cookie Overwrite

A session hijacking vulnerability exists in Flarum versions prior to 1.8.10. The issue arises when an attacker-controlled authoritative subdomain under a parent domain sets cookies scoped to the parent domain. This allows for the replacement of session tokens in applications hosted on sibling subdomains, provided that the session tokens are not rotated after authentication. The vulnerability is exploitable only if the attacker controls a subdomain under the parent domain, which must not be on the Public Suffix List.

Impact

Exploitation of this vulnerability allows for account takeover by hijacking the session of a user on a sibling subdomain, leading to unauthorized access to the user's account and personal data, such as email and private messages.

Reproduction

To reproduce this vulnerability, an attacker must control an authoritative subdomain under a parent domain that is not on the Public Suffix List. The attacker can set a cookie scoped to the parent domain, which will be accepted by the browser. If a user on a sibling subdomain interacts with the attacker's subdomain, the cookie will be sent along with the request, allowing the attacker to hijack the user's session.

Remediation

Users can update to Flarum version 1.8.10 or later, where this vulnerability has been patched. Additionally, implementing session token rotation after authentication and ensuring cookies are scoped to specific subdomains can help mitigate this issue.