Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

McAfee Hacker Vulnerability Scan results


golfman2006

Recommended Posts

We recently migrated to a new host/server and have now re-run our McAfee scan, we are getting the two below vulnerabilities and our host says it has nothing to do with the server, rather with osCommerce. I tried searching through the forums and contributions, but found nothing. Can someone point in the right direction to a fix or patch?

 

1. Missing Secure Attribute in an Encrypted Session (SSL) Cookie - The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack.

 

2. Potentially Sensitive Information Missing Secure Attribute in an Encrypted Session - The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack. The information that was sent was flagged as being potentially sensitive. Potentially sensitive information could be session tokens, user id's, or passwords.

 

Thanks in advance....

Link to comment
Share on other sites

  • 3 weeks later...

Hey Golfman,

 

Did you resolve this issue? I am getting the same result from McAfee.

 

We recently moved as well and upgraded to Php5 in the process. We are running a MS2.2 modified store.

 

What's interesting we used to have our SSL server set-up a bit different on our old box...we never had issues with scans.

 

Old set-up

http server: http://mydomain.com

https server: https://secure.mydomain.com

 

http cookie: .mydomain.com

https cookie: secure.mydomain.com

 

No errors with the above!!

 

New box

http server: http://mydomain.com

https server: https://.mydomain.com

 

http cookie: .mydomain.com

https cookie: .mydomain.com

 

Notice the small differences?

 

Did you have a similar configuration?

 

Please advise...thanks!

 

-TS

Link to comment
Share on other sites

  • 2 weeks later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...