Konqueror prevents JavaScript from reading cookies with HttpOnly flag (and this is good - it works as expected), but it turns out that Konqueror allows JavaScript to overwrite HttpOnly cookies. As a consequence the attacker can launch session fixation attack and finally impersonate the victim - the attacker just overwrites the HttpOnly cookie of the victim (session fixation via HttpOnly cookie). As a result of session fixation attack, the attacker can impersonate the victim, because he knows the victim's session ID. This is how HttpOnly flag can be bypassed in Konqueror. Regards, Dawid Czagan Reproducible: Always
Which browser engine did you use to test this? webkit or khtml?
KHTML
Do you by any chance have a test case for this? Otherwise, I will have to create a test case which might take a while.
I have a simple PHP site created to play with this issue (if you are interested, I will paste the code here). By the way - when are you going to fix this issue?
Feel free to post the script. I am already looking into it now and hopefully will get a fix out before the 4.12.3 release.
Created attachment 85145 [details] Simple code to play with the issue Run it, refresh and see that JavaScript was able to overwrite cookie1, which has HttpOnly flag set).
This is probably a WONTFIX for the same reasons outlined by the Firefox developers in https://bugzilla.mozilla.org/show_bug.cgi?id=607613 Read the discussion in that ticket and see the security considerations section 8 under http://www.rfc-editor.org/rfc/rfc6265.txt
JavaScript can't overwrite HttpOnly cookies in Firefox (I tested it). BTW there is no reason to allow JavaScript to overwrite HttpOnly cookies and this overwriting can only lead to problems. Moreover, it turns out, that majority of browsers don't allow the aforementioned overwriting. Please let me know if you are going to fix this problem in Konqueror.