Jump to content

Archived

This topic is now archived and is closed to further replies.

www.in.no

PCI Scan HTTPONLY cookies

Recommended Posts

Just had a PCI scan with McAfee, and got one error that i am not sure how to fix.

 

Or if it is a false positive...

Sensitive Cookie Missing 'HTTPONLY' Attribute

on port 443 and 80.

 

----

And i have also one question on how to secure alias directory phpmyadmin.

 

Web Server Uses Basic Authentication Without HTTPS

 

----

 

Severity Name Port Category Status Medium Sensitive Cookie Missing 'HTTPONLY' Attribute 443/tcp Web Application Fail Description

The application does not utilize HTTP-only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of successful Cross-site Scripting attacks by not allowing cookies with the "HttpOnly" flag to be accessed via client-side scripts.

 

An attacker can easily steal a user's session if the attacker is able to manipulate the Javascript. This vulnerability has a very high security impact if the site is also vulnerable to Cross Site Scripting (XSS). CVSS Score

4.3 CVSS Fingerprint

AV:N/AC:M/Au:N/C:P/I:N/A:N Solution

Set the "HTTPONLY" flag for cookies containing sensitive information, particularly session tokens. Details

 

 

Protocol https Port 443 Read Timeout 10000 Method GET Path / Headers Via=%22Xx%3CXaXaXXaXaX%3ExXx%27%3B%22%2C%29%60

HttpOnly attribute is not used: osCsid=DKSVpqIUDwIXXOuo5FN2zkRmtM6PMXbyr0bS7AuiFKwWZCw1tAXvGW9PP9Rp8FOk; path=/; domain=osc.allmedia.no

Links

None References

None

 

 

Severity Name Port Category Status Medium Sensitive Cookie Missing 'HTTPONLY' Attribute 80/tcp Web Application Fail Description

The application does not utilize HTTP-only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of successful Cross-site Scripting attacks by not allowing cookies with the "HttpOnly" flag to be accessed via client-side scripts.

 

An attacker can easily steal a user's session if the attacker is able to manipulate the Javascript. This vulnerability has a very high security impact if the site is also vulnerable to Cross Site Scripting (XSS). CVSS Score

4.3 CVSS Fingerprint

AV:N/AC:M/Au:N/C:P/I:N/A:N Solution

Set the "HTTPONLY" flag for cookies containing sensitive information, particularly session tokens. Details

 

 

Protocol http Port 80 Read Timeout 10000 Method GET Path / Headers Host=osc.allmedia.no

HttpOnly attribute is not used: osCsid=g3R2YA7THKKxLEnUAC_nsvUkk2mnYyKSPP4oTdeS5xjUGdRwFa8cW8cbUjE7P7yd; path=/; domain=osc.allmedia.no

Protocol http Port 80 Read Timeout 10000 Method GET Path / Headers Via=%22Xx%3CXaXaXXaXaX%3ExXx%27%3B%22%2C%29%60

HttpOnly attribute is not used: osCsid=wiuXw5J0rJwZLoKtDxdNRhAbgxbesrgvRjgDUlO7eb48jhNrL6vCeXZziHm2cQQ3; path=/; domain=osc.allmedia.no

Links

None References

None

Share this post


Link to post
Share on other sites

For some reason, I also follow the patch, it doesn't work with my 2.2 shopping cart.

 

So, I have to add the extra line under .htaccess line

 

<IfModule php5_module>

php_value session.cookie_httponly true

</IfModule>

 

For 2.2 version, so I believe it must be the server configuration problem. so it is only for reference.

Share this post


Link to post
Share on other sites

×