Hi Guys, I had run a openvas scan of EE web server and found the following results. Trying to figure out if this is ignorable or if it needs to be addressed. If it does i was hoping someone could provide some pointers. Thanks
Summary The host is running a server with SSL and is prone to information disclosure vulnerability.
Vulnerability Detection Result The cookies:
Set-Cookie: PHPSESSID=je7tgj29l7q85uu6pa1ji5gft6; path=/ Set-Cookie: staging__last_visit=1107617839; expires=Wed, 03-Feb-2016 15:37:19 GMT; path=/;↵ domain=.removed.com; httponly Set-Cookie: staging__last_activity=1422977839; expires=Wed, 03-Feb-2016 15:37:19 GMT; path↵ =/; domain=.remomved.com httponly Set-Cookie: staging__tracker=a:1:{i:0;s:5:"index";}; path=/; domain=↵ .removed.com; httponly Set-Cookie: staging__csrf_token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; do↵ main=.removed.com; httponly Set-Cookie: staging__csrf_token=f4fd5204e1ad368b6df5f8314a7977e4de4e9124; expires=Tue, 03-↵ Feb-2015 17:37:19 GMT; path=/; domain=.removed.com; httponly Set-Cookie: staging__stashid=a:2:{s:2:”id”;s:40:”1b6f125f2f3cd89d897↵ c57d7d37309b775279e0e”;s:2:”dt”;i:1422977839;}; path=/; domain=.removed↵ .com; httponly
are missing the secure attribute.
Affected Software/OS Server with SSL.
Workaround: Set the ‘secure’ attribute for any cookies that are sent over an SSL connection.
Vulnerability Insight The flaw is due to SSL cookie is not using ‘secure’ attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks. remote systems.
Impact Level: Application
Well, this is not an EE issue (and if it was you haven’t provided the version #), but with your underlying server. I believe this is an Apache issue. Make sure you are running Apache 1.8.10 and ensure cookies are set to secure.
That is all assuming you have valid certificates and are running/forcing https.
Packet Tide owns and develops ExpressionEngine. © Packet Tide, All Rights Reserved.