Monitor Reply

Support

Insecure Cookie?

Permalink Browser Info Environment January 31, 2024 at 5:55 PM

Hello, our audits revealed that the stack_infinity addon is loading an insecure cookie. Can you explain what exactly this cookie is tracking and how it can be made secure or if it's even needed?

CMS File Location:
/public/packages/stack_infinity/blocks/stack_infinity/controller.php

Code snippet:

protected function _getCookie() {
            // Cookie 'helper'.
            $ch = \Core::make('cookie');
            // Get cookie.
            $cookie = $ch->get('stack_infinity');
            if (is_array($cookie) && isset($cookie['bID_' . $this->bID])) {
                // Get json decoded cookie.
                $result = Json::decode($cookie['bID_' . $this->bID], true);
            } else {
                // Get default data.
                $result = array('count' => 0, 'ttl' => false, 'type' => $this->count_unit, 'stacks' => array());
            }
            // Return result.
            return $result;
        }

Type:	Pre-Sale
Status:	In Progress

MikeTCB replied on Feb 6, 2024 at 6:25 pm Permalink Reply

Hello, just wondering if anyone is monitoring this issue besides me?

4Concrete5 replied on Feb 7, 2024 at 6:05 am Permalink Reply

Hi,

Yes, we are also monitoring this ;-) Sorry for the late response!

We are going to fix the insecure cookie.

As you can see in the code, the cookie is being used to store some info about the addon. Just to get the addon working. We decided to use a cookie instead of repeatingly calling the database.

Will be fixed in a couple of days!

Team 4Concrete5

4Concrete5 replied on Feb 7, 2024 at 6:17 am Permalink Reply

on line 292 I see:

// Set cookie.
$ch->set('stack_infinity[bID_' . $this->bID . ']', $data, $ttl, $path, $domain, $request->isSecure());

So I think all is well when you use https for the site.

If I remember well, we've already made the change (the $request->isSecure()) a while ago.

I don't see any problems with the cookie?

MikeTCB replied on Feb 7, 2024 at 5:19 pm Permalink Reply

Ah so that's what it is! I just checked our git repository and $request->isSecure() doesn't exist, so I noticed that we haven't updated to the latest version of this addon.

It would help if we did that :-)

Thanks

concrete5 Environment Information

# Concrete Version
Core Version - 9.1.3
Version Installed - 9.1.3
Database Version - 20220908074900

# Hostname
h1-prod-tcb

# Environment
live

# Database Information
Version: 5.7.12-log
SQL Mode:

# Concrete Packages
Afixia: Login Redirect (0.9.6), Afixia: SEO Redirects (1.1.5), ATM Data (0.7.4), Form Plus (2.4.2), Latitude/Longitude Attribute (0.9), Magic Tabs (7.2.8), Manual Nav (2.3.4), Mega Menu (1.6.5), More Block Templates (0.9.7), Nestable Manual Nav (1.4.1), Open Graph Tags Lite (2.1.5), Responsive Embed (1.0.1), Site Alerts (1.0.0), Stack Infinity (1.2.3), Tri Counties Bank (2.0.0)

# Concrete Overrides
blocks/autonav/templates/tcb-megamenu/view.php, blocks/autonav/templates/tcb-megamenu, blocks/autonav/templates, blocks/autonav, blocks/call_to_action/js_form/select2.sortable.js, blocks/call_to_action/js_form, blocks/call_to_action/composer.php, blocks/call_to_action/config.json, blocks/call_to_action/auto.css, blocks/call_to_action/edit.php, blocks/call_to_action/form.php, blocks/call_to_action/view.php, blocks/call_to_action/db.xml, blocks/call_to_action/controller.php, blocks/call_to_action/add.php, blocks/call_to_action/auto.js, blocks/call_to_action/icon.png, blocks/call_to_action, blocks/alert_display_area/templates/tcb_alert/view.js, blocks/alert_display_area/templates/tcb_alert/js/js.cookie.js, blocks/alert_display_area/templates/tcb_alert/js/dismiss.js, blocks/alert_display_area/templates/tcb_alert/js, blocks/alert_display_area/templates/tcb_alert/view.php, blocks/alert_display_area/templates/tcb_alert/view.css, blocks/alert_display_area/templates/tcb_alert, blocks/alert_display_area/templates, blocks/alert_display_area, blocks/search/templates/search_modal/view.php, blocks/search/templates/search_modal, blocks/search/templates, blocks/search/view.php, blocks/search, blocks/social_links/templates/tri-counties-bank-icons/threads.png, blocks/social_links/templates/tri-counties-bank-icons/x.png, blocks/social_links/templates/tri-counties-bank-icons/threads-hover.png, blocks/social_links/templates/tri-counties-bank-icons/view.php, blocks/social_links/templates/tri-counties-bank-icons, blocks/social_links/templates, blocks/social_links, blocks/tcb_login/templates/online_banking_login/view.php, blocks/tcb_login/templates/online_banking_login, blocks/tcb_login/templates, blocks/tcb_login, blocks/horizontal_rule/templates/spacer.php, blocks/horizontal_rule/templates, blocks/horizontal_rule, blocks/mortgage_specialist/composer.php, blocks/mortgage_specialist/config.json, blocks/mortgage_specialist/edit.php, blocks/mortgage_specialist/form.php, blocks/mortgage_specialist/view.php, blocks/mortgage_specialist/db.xml, blocks/mortgage_specialist/controller.php, blocks/mortgage_specialist/add.php, blocks/mortgage_specialist/view.scss, blocks/mortgage_specialist/icon.png, blocks/mortgage_specialist/view.css, blocks/mortgage_specialist, blocks/vidal_themes_buttons/templates/tri-counties-bank-cta/view.php, blocks/vidal_themes_buttons/templates/tri-counties-bank-cta, blocks/vidal_themes_buttons/templates/full_width_button/view.php, blocks/vidal_themes_buttons/templates/full_width_button, blocks/vidal_themes_buttons/templates, blocks/vidal_themes_buttons/view.php, blocks/vidal_themes_buttons/controller.php, blocks/vidal_themes_buttons, blocks/page_list/templates/navigation/view.php, blocks/page_list/templates/navigation, blocks/page_list/templates/resources/view.php, blocks/page_list/templates/resources/view.scss, blocks/page_list/templates/resources/view.css, blocks/page_list/templates/resources, blocks/page_list/templates/features/view.js, blocks/page_list/templates/features/scrapbook.php, blocks/page_list/templates/features/fonts/slick.svg, blocks/page_list/templates/features/fonts/slick.woff, blocks/page_list/templates/features/fonts/slick.ttf, blocks/page_list/templates/features/fonts/slick.eot, blocks/page_list/templates/features/fonts, blocks/page_list/templates/features/view.php, blocks/page_list/templates/features/ajax-loader.gif, blocks/page_list/templates/features/view.scss, blocks/page_list/templates/features/view.css, blocks/page_list/templates/features, blocks/page_list/templates/preheader/view.php, blocks/page_list/templates/preheader/view.scss, blocks/page_list/templates/preheader/view.css, blocks/page_list/templates/preheader, blocks/page_list/templates/location_map/images/moneypass_atms.png, blocks/page_list/templates/location_map/images/tri_counties_bank_atms.png, blocks/page_list/templates/location_map/images/business_lending_centers.png, blocks/page_list/templates/location_map/images/branches.png, blocks/page_list/templates/location_map/images, blocks/page_list/templates/location_map/view.php, blocks/page_list/templates/location_map, blocks/page_list/templates/highlights/view.php, blocks/page_list/templates/highlights/img/bg_curve.svg, blocks/page_list/templates/highlights/img, blocks/page_list/templates/highlights/view.scss, blocks/page_list/templates/highlights/view.css, blocks/page_list/templates/highlights, blocks/page_list/templates/carousel/view.php, blocks/page_list/templates/carousel/img/bg_curve.svg, blocks/page_list/templates/carousel/img, blocks/page_list/templates/carousel/view.css, blocks/page_list/templates/carousel, blocks/page_list/templates/tcb_dropdown/view.js, blocks/page_list/templates/tcb_dropdown/view.php, blocks/page_list/templates/tcb_dropdown, blocks/page_list/templates/tcb_megamenu/view.php, blocks/page_list/templates/tcb_megamenu, blocks/page_list/templates, blocks/page_list/view.php, blocks/page_list, blocks/home_hero/js_form/select2.sortable.js, blocks/home_hero/js_form, blocks/home_hero/composer.php, blocks/home_hero/config.json, blocks/home_hero/auto.css, blocks/home_hero/edit.php, blocks/home_hero/form.php, blocks/home_hero/view.php, blocks/home_hero/db.xml, blocks/home_hero/controller.php, blocks/home_hero/add.php, blocks/home_hero/auto.js, blocks/home_hero/icon.png, blocks/home_hero, blocks/vidal_themes_quote_slider/templates/centered/view.php, blocks/vidal_themes_quote_slider/templates/centered/view.scss, blocks/vidal_themes_quote_slider/templates/centered/view.css, blocks/vidal_themes_quote_slider/templates/centered, blocks/vidal_themes_quote_slider/templates, blocks/vidal_themes_quote_slider, elements/containers/features_three_column.php, elements/containers/calculator_links.php, elements/containers/home_hero.php, elements/containers/full_width_gray.php, elements/containers/full_width.php, elements/containers/profiles.php, elements/containers/bg_gray_curve.php, elements/containers/seven_column.php, elements/containers/profiles_two_column.php, elements/containers/five_column.php, elements/containers, single_pages/login.php, themes/modena/page_forbidden.php, themes/modena/page_not_found.php, themes/modena/home.php, themes/modena/sub_page.php, themes/modena/elements/title.php, themes/modena/elements/subnav.php, themes/modena/elements/footer.php, themes/modena/elements/features.php, themes/modena/elements/containers/test_container.php, themes/modena/elements/containers, themes/modena/elements/header.php, themes/modena/elements/styles.php, themes/modena/elements/title-hero.php, themes/modena/elements/title-blank.php, themes/modena/elements/sub-page-header.php, themes/modena/elements, themes/modena/full.php, themes/modena/description.txt, themes/modena/js/globalfooter.js, themes/modena/js/main-min.js, themes/modena/js/scripts-min.js, themes/modena/js, themes/modena/images/image.png, themes/modena/images, themes/modena/block_preview.php, themes/modena/tcb_sub_page.php, themes/modena/left_sidebar.php, themes/modena/cart.php, themes/modena/checkout.php, themes/modena/css/navigation/_nav.less, themes/modena/css/navigation/_mobile-nav.less, themes/modena/css/navigation, themes/modena/css/tcb.css.map, themes/modena/css/base/_reset.less, themes/modena/css/base/_spacing.less, themes/modena/css/base/_utility.less, themes/modena/css/base, themes/modena/css/_tcb-v1.scss, themes/modena/css/modena-v003.css, themes/modena/css/styles.xml, themes/modena/css/fonts/fontawesome-webfont.woff, themes/modena/css/fonts/fontawesome-webfont.eot, themes/modena/css/fonts/ionicons.eot, themes/modena/css/fonts/fontawesome-webfont.woff2, themes/modena/css/fonts/FontAwesome.otf, themes/modena/css/fonts/fontawesome-webfont.svg, themes/modena/css/fonts/ionicons.svg, themes/modena/css/fonts/ionicons.ttf, themes/modena/css/fonts/ionicons.woff, themes/modena/css/fonts/fontawesome-webfont.ttf, themes/modena/css/fonts, themes/modena/css/components/_cards.less, themes/modena/css/components/_overlays.less, themes/modena/css/components/_forms.less, themes/modena/css/components/_preloaders.less, themes/modena/css/components/_blog.less, themes/modena/css/components/_tabs.less, themes/modena/css/components/_video-hero-unit.less, themes/modena/css/components/_buttons.less, themes/modena/css/components/_notices.less, themes/modena/css/components/_com-store.less, themes/modena/css/components/_hero-unit.less, themes/modena/css/components/_isotope.less, themes/modena/css/components/_testimonials.less, themes/modena/css/components/_social-networks.less, themes/modena/css/components/_maps.less, themes/modena/css/components/_pricing.less, themes/modena/css/components/_sliders.less, themes/modena/css/components/_modal.less, themes/modena/css/components/_tags.less, themes/modena/css/components/_team.less, themes/modena/css/components/_icon-boxes.less, themes/modena/css/components/_animation.less, themes/modena/css/components/_video.less, themes/modena/css/components/_calendar.less, themes/modena/css/components/_accordion.less, themes/modena/css/components/_page-list.less, themes/modena/css/components, themes/modena/css/presets/tcb.less, themes/modena/css/presets, themes/modena/css/img/bg_title_red.png, themes/modena/css/img, themes/modena/css/modena-v003.less, themes/modena/css/helpers/_mixins.less, themes/modena/css/helpers, themes/modena/css/layout/_grid.less, themes/modena/css/layout/_bootstrap-grid.less, themes/modena/css/layout/_headers.less, themes/modena/css/layout/_footers.less, themes/modena/css/layout/_sidebars.less, themes/modena/css/layout, themes/modena/css/tcb.css, themes/modena/css/tcb.scss, themes/modena/css/typography/_fonts.less, themes/modena/css/typography/_text.less, themes/modena/css/typography, themes/modena/css, themes/modena/default.php, themes/modena/view.php, themes/modena/page_theme.php, themes/modena/blog_entry.php, themes/modena/blank.php, themes/modena/right_sidebar.php, themes/modena/thumbnail.png, themes/modena/checkout/complete.php, themes/modena/checkout, themes/modena

# Concrete Cache Settings
Block Cache - On
Overrides Cache - On
Full Page Caching - On - In all cases.
Full Page Cache Lifetime - Every 5 minutes.

# Server Software
nginx/1.22.0

# Server API
fpm-fcgi

# PHP Version
7.4.3-4ubuntu2.19

# PHP Extensions
bcmath, calendar, cgi-fcgi, Core, ctype, curl, date, dom, exif, FFI, fileinfo, filter, ftp, gd, gettext, hash, iconv, igbinary, imap, intl, json, libxml, mbstring, mysqli, mysqlnd, openssl, pcre, PDO, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, readline, redis, Reflection, session, shmop, SimpleXML, soap, sockets, sodium, SPL, sqlite3, standard, sysvmsg, sysvsem, sysvshm, tokenizer, xml, xmlreader, xmlwriter, xsl, Zend OPcache, zip, zlib

# PHP Settings
max_execution_time - 30
log_errors_max_len - 1024
max_file_uploads - 20
max_input_nesting_level - 64
max_input_time - 60
max_input_vars - 1000
max_multipart_body_parts - -1
memory_limit - 256M
post_max_size - 100M
upload_max_filesize - 100M
mbstring.regex_retry_limit - 1000000
mbstring.regex_stack_limit - 100000
mysqli.max_links - Unlimited
mysqli.max_persistent - Unlimited
pcre.backtrack_limit - 1000000
pcre.recursion_limit - 100000
pgsql.max_links - Unlimited
pgsql.max_persistent - Unlimited
redis.pconnect.connection_limit - 0
session.cache_limiter - <i>no value</i>
session.gc_maxlifetime - 7200
soap.wsdl_cache_limit - 5
unserialize_max_depth - 4096
opcache.max_accelerated_files - 10000
opcache.max_file_size - 0
opcache.max_wasted_percentage - 5

Browser User-Agent String

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0

Hide Post Content

This will replace the post content with the message: "Content has been removed by an Administrator"

Hide Content

Stack Infinity

Support

Insecure Cookie?

Issue Reply

concrete5 Environment Information

Browser User-Agent String

Hide Post Content

Request Refund

Code

Delete Post