|
I will look into correcting this
however in my initial reading there is extremely low amount of
risk here. Ganglia Web uses cookies only for things like
- Aggregate graphs input field arguments e.g. host regex, metric
regex
- Which Tab you have open
etc.
There is no risk on session hijack as we do not use cookies for
authentication.
Vladimir
On 05/29/2015 02:37 AM, Cristovao Cordeiro wrote:
Hi,
I think I've sent an email about this many months ago.
Now after the update, this is the output from skipfish:
Summary:
The application is missing the 'httpOnly' cookie
attribute
Vulnerability Detection Result:
The cookies
...
are missing the httpOnly attribute.
Impact:
Application
Solution:
Set the 'httpOnly' attribute for any session cookies.
Affected Software/OS:
Application with session handling in cookies.
Vulnerability Insight:
The flaw is due to a cookie is not using the 'httpOnly'
attribute. This
allows a cookie to be accessed by _javascript_ which could
lead to session hijac!
king attacks.
Vulnerability Detection Method:
Check all cookies sent by the application for a missing
'httpOnly' attribute
Details:
Missing httpOnly Cookie Attribute
Thanks
Cumprimentos / Best regards,
Cristóvão José Domingues Cordeiro
Is there an issue open for this
and what are the details ?
Vladimir
On 05/28/2015 04:40 AM, Cristovao Cordeiro wrote:
Hi all,
was this issue addressed:
NVT: Missing httpOnly Cookie Attribute
OID: 1.3.6.1.4.1.25623.1.0.105925
Threat: Medium (CVSS: 5.0)
Port: 80/tcp
Because after updating I still have it. Any idea
on how to solve it?
Thanks
Cumprimentos / Best regards,
Cristóvão José Domingues Cordeiro
IT Department - 28/R-018
CERN
|
------------------------------------------------------------------------------
_______________________________________________
Ganglia-developers mailing list
Ganglia-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ganglia-developers
