Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

PCI Scan HTTPONLY cookies


www.in.no

Recommended Posts

Just had a PCI scan with McAfee, and got one error that i am not sure how to fix.

 

Or if it is a false positive...

Sensitive Cookie Missing 'HTTPONLY' Attribute

on port 443 and 80.

 

----

And i have also one question on how to secure alias directory phpmyadmin.

 

Web Server Uses Basic Authentication Without HTTPS

 

----

 

Severity Name Port Category Status Medium Sensitive Cookie Missing 'HTTPONLY' Attribute 443/tcp Web Application Fail Description

The application does not utilize HTTP-only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of successful Cross-site Scripting attacks by not allowing cookies with the "HttpOnly" flag to be accessed via client-side scripts.

 

An attacker can easily steal a user's session if the attacker is able to manipulate the Javascript. This vulnerability has a very high security impact if the site is also vulnerable to Cross Site Scripting (XSS). CVSS Score

4.3 CVSS Fingerprint

AV:N/AC:M/Au:N/C:P/I:N/A:N Solution

Set the "HTTPONLY" flag for cookies containing sensitive information, particularly session tokens. Details

 

 

Protocol https Port 443 Read Timeout 10000 Method GET Path / Headers Via=%22Xx%3CXaXaXXaXaX%3ExXx%27%3B%22%2C%29%60

HttpOnly attribute is not used: osCsid=DKSVpqIUDwIXXOuo5FN2zkRmtM6PMXbyr0bS7AuiFKwWZCw1tAXvGW9PP9Rp8FOk; path=/; domain=osc.allmedia.no

Links

None References

None

 

 

Severity Name Port Category Status Medium Sensitive Cookie Missing 'HTTPONLY' Attribute 80/tcp Web Application Fail Description

The application does not utilize HTTP-only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of successful Cross-site Scripting attacks by not allowing cookies with the "HttpOnly" flag to be accessed via client-side scripts.

 

An attacker can easily steal a user's session if the attacker is able to manipulate the Javascript. This vulnerability has a very high security impact if the site is also vulnerable to Cross Site Scripting (XSS). CVSS Score

4.3 CVSS Fingerprint

AV:N/AC:M/Au:N/C:P/I:N/A:N Solution

Set the "HTTPONLY" flag for cookies containing sensitive information, particularly session tokens. Details

 

 

Protocol http Port 80 Read Timeout 10000 Method GET Path / Headers Host=osc.allmedia.no

HttpOnly attribute is not used: osCsid=g3R2YA7THKKxLEnUAC_nsvUkk2mnYyKSPP4oTdeS5xjUGdRwFa8cW8cbUjE7P7yd; path=/; domain=osc.allmedia.no

Protocol http Port 80 Read Timeout 10000 Method GET Path / Headers Via=%22Xx%3CXaXaXXaXaX%3ExXx%27%3B%22%2C%29%60

HttpOnly attribute is not used: osCsid=wiuXw5J0rJwZLoKtDxdNRhAbgxbesrgvRjgDUlO7eb48jhNrL6vCeXZziHm2cQQ3; path=/; domain=osc.allmedia.no

Links

None References

None

Link to comment
Share on other sites

  • 4 months later...

For some reason, I also follow the patch, it doesn't work with my 2.2 shopping cart.

 

So, I have to add the extra line under .htaccess line

 

<IfModule php5_module>

php_value session.cookie_httponly true

</IfModule>

 

For 2.2 version, so I believe it must be the server configuration problem. so it is only for reference.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...