golfman2006 Posted January 11, 2009 Share Posted January 11, 2009 We recently migrated to a new host/server and have now re-run our McAfee scan, we are getting the two below vulnerabilities and our host says it has nothing to do with the server, rather with osCommerce. I tried searching through the forums and contributions, but found nothing. Can someone point in the right direction to a fix or patch? 1. Missing Secure Attribute in an Encrypted Session (SSL) Cookie - The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack. 2. Potentially Sensitive Information Missing Secure Attribute in an Encrypted Session - The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack. The information that was sent was flagged as being potentially sensitive. Potentially sensitive information could be session tokens, user id's, or passwords. Thanks in advance.... Link to comment Share on other sites More sharing options...
tsteele Posted January 28, 2009 Share Posted January 28, 2009 Hey Golfman, Did you resolve this issue? I am getting the same result from McAfee. We recently moved as well and upgraded to Php5 in the process. We are running a MS2.2 modified store. What's interesting we used to have our SSL server set-up a bit different on our old box...we never had issues with scans. Old set-up http server: http://mydomain.com https server: https://secure.mydomain.com http cookie: .mydomain.com https cookie: secure.mydomain.com No errors with the above!! New box http server: http://mydomain.com https server: https://.mydomain.com http cookie: .mydomain.com https cookie: .mydomain.com Notice the small differences? Did you have a similar configuration? Please advise...thanks! -TS Link to comment Share on other sites More sharing options...
Guest Posted February 10, 2009 Share Posted February 10, 2009 I'm also having the same vulnerability issues. Can anyone help with this? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.