Fixed security issue reported by huntr.dev: Session cookie missed the "secure" flag. Thanks for reporting!

defaults.php

@@ -120,10 +120,9 @@ if (isset($_SERVER ['HTTPS'])) {
 }
 $serverport = "false";
 // Unterstützung für Apache und IIS
+ini_set('session.cookie_secure', 1);
 if (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on')) {
 	$serverport = "https://";
-	// Uses a secure connection (HTTPS) if possible
-	ini_set('session.cookie_secure', 1);
 } else {
 	$serverport = "http://";
 }

fp-includes/core/core.cookie.php

@@ -1,7 +1,6 @@
 <?php
 
 function cookie_setup() {
-
 	global $fp_config;
 
 	// md5(BLOG_BASEURL);
@@ -22,20 +21,25 @@ if ( !defined('SITECOOKIEPATH') )
 		define('SITECOOKIEPATH', preg_replace('|https?://[^/]+|i', '', BLOG_BASEURL));
 	if (!defined('COOKIE_DOMAIN'))
 		define('COOKIE_DOMAIN', false);
-        
-
+	if (!defined('COOKIE_SECURE'))
+		define('COOKIE_SECURE', true);
 }
 
 if (!function_exists('wp_get_cookie_login')) :
+
 	function wp_get_cookie_login() {
 		if (empty($_COOKIE [USER_COOKIE]) || empty($_COOKIE [PASS_COOKIE]))
 			return false;
 
-	return array('login' => $_COOKIE[USER_COOKIE],	'password' => $_COOKIE[PASS_COOKIE]);
+		return array(
+			'login' => $_COOKIE [USER_COOKIE],
+			'password' => $_COOKIE [PASS_COOKIE]
+		);
 	}
 
 endif;
 
+
 function cookie_set($username, $password, $already_md5 = false, $home = '', $siteurl = '', $remember = false) {
 	if (!$already_md5)
 		$password = md5(md5($password)); // Double hash the password in the cookie.
@@ -58,24 +62,24 @@ function cookie_set($username, $password, $already_md5 = false, $home = '', $sit
 	else
 		$expire = 0;
 
-	setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN);
-	setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN);
+	setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
+	setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
 
 	if ($cookiepath != $sitecookiepath) {
-		setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN);
-		setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN);
+		setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
+		setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
 	}
 }
 
 function cookie_clear() {
-	setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
-	setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
-	setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
-	setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
+	setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
+	setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
+	setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
+	setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
 }
 
-
 if (!function_exists('wp_login')) :
+
 	function wp_login($username, $password, $already_md5 = false) {
 		global $wpdb, $error;
 
@@ -110,6 +114,7 @@ function wp_login($username, $password, $already_md5 = false) {
 endif;
 
 if (!function_exists('is_user_logged_in')) :
+
 	function is_user_logged_in() {
 		$user = wp_get_current_user();
 
@@ -121,11 +126,10 @@ function is_user_logged_in() {
 endif;
 
 if (!function_exists('auth_redirect')) :
+
 	function auth_redirect() {
 		// Checks if a user is logged in, if not redirects them to the login page
-	if ( (!empty($_COOKIE[USER_COOKIE]) &&
-				!wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true)) ||
-			 (empty($_COOKIE[USER_COOKIE])) ) {
+		if ((!empty($_COOKIE [USER_COOKIE]) && !wp_login($_COOKIE [USER_COOKIE], $_COOKIE [PASS_COOKIE], true)) || (empty($_COOKIE [USER_COOKIE]))) {
 			nocache_headers();
 
 			wp_redirect(get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER ['REQUEST_URI']));
@@ -134,5 +138,4 @@ function auth_redirect() {
 	}
 endif;
 
-
 ?>

fp-includes/core/core.session.php

@@ -1,23 +1,19 @@
 <?php
 
-	
-
 function sess_setup() {
 	if (SESSION_PATH != '')
 		session_save_path(SESSION_PATH);
 
 	session_name(SESS_COOKIE);
+	setcookie(SESS_COOKIE, '', 0, '', COOKIE_DOMAIN, COOKIE_SECURE);
 
 	session_start();
-		
 }
 
-	
 function sess_add($key, $val) {
 	$_SESSION [$key] = $val;
 }
 
-	
 function sess_remove($key) {
 	if (isset($_SESSION [$key])) {
 		$oldval = $_SESSION [$key];
@@ -29,13 +25,14 @@
 function sess_get($key) {
 	if (isset($_SESSION [$key]))
 		return $_SESSION [$key];
-		 else return false;
+	else
+		return false;
 }
 
 function sess_close() {
 	unset($_SESSION);
 	if (isset($_COOKIE [session_name()])) {
-			setcookie(session_name(), '', time()-42000, '/');
+		setcookie(session_name(), '', time() - 42000, '/', COOKIE_SECURE);
 		session_set_cookie_params(-42000);
 	}
 	session_destroy();

fp-includes/core/core.users.php

@@ -64,8 +64,8 @@ function user_login($userid, $pwd, $params = null) {
 	if ($loggedin) {
 		// session_regenerate_id();
 		$expire = time() + 31536000;
-		setcookie(USER_COOKIE, $userid, $expire, COOKIEPATH, COOKIE_DOMAIN);
-		setcookie(PASS_COOKIE, $user ['password'], $expire, COOKIEPATH, COOKIE_DOMAIN);
+		setcookie(USER_COOKIE, $userid, $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
+		setcookie(PASS_COOKIE, $user ['password'], $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
 	}
 
 	return $loggedin;
@@ -76,8 +76,8 @@ function user_logout() {
 
 	if (user_loggedin()) {
 
-		setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
-		setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
+		setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
+		setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
 	}
 
 	$loggedin = false;

fp-includes/core/core.wp-pluggable-funcs.php

@@ -290,12 +290,12 @@ if (!function_exists('wp_setcookie')) :
 			$cookiehash = md5($siteurl);
 		}
 
-		setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $cookiepath);
-		setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $cookiepath);
+		setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $cookiepath, COOKIE_SECURE);
+		setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $cookiepath, COOKIE_SECURE);
 
 		if ($cookiepath != $sitecookiepath) {
-			setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $sitecookiepath);
-			setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $sitecookiepath);
+			setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $sitecookiepath, COOKIE_SECURE);
+			setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $sitecookiepath, COOKIE_SECURE);
 		}
 	}
 endif;
@@ -303,10 +303,10 @@ endif;
 if (!function_exists('wp_clearcookie')) :
 
 	function wp_clearcookie() {
-		setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH);
-		setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH);
-		setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH);
-		setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH);
+		setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE);
+		setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE);
+		setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE);
+		setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE);
 	}
 endif;