www.in.no Posted December 6, 2012 Posted December 6, 2012 Just had a PCI scan with McAfee, and got one error that i am not sure how to fix. Or if it is a false positive... Sensitive Cookie Missing 'HTTPONLY' Attribute on port 443 and 80. ---- And i have also one question on how to secure alias directory phpmyadmin. Web Server Uses Basic Authentication Without HTTPS ---- Severity Name Port Category Status Medium Sensitive Cookie Missing 'HTTPONLY' Attribute 443/tcp Web Application Fail Description The application does not utilize HTTP-only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of successful Cross-site Scripting attacks by not allowing cookies with the "HttpOnly" flag to be accessed via client-side scripts. An attacker can easily steal a user's session if the attacker is able to manipulate the Javascript. This vulnerability has a very high security impact if the site is also vulnerable to Cross Site Scripting (XSS). CVSS Score 4.3 CVSS Fingerprint AV:N/AC:M/Au:N/C:P/I:N/A:N Solution Set the "HTTPONLY" flag for cookies containing sensitive information, particularly session tokens. Details Protocol https Port 443 Read Timeout 10000 Method GET Path / Headers Via=%22Xx%3CXaXaXXaXaX%3ExXx%27%3B%22%2C%29%60 HttpOnly attribute is not used: osCsid=DKSVpqIUDwIXXOuo5FN2zkRmtM6PMXbyr0bS7AuiFKwWZCw1tAXvGW9PP9Rp8FOk; path=/; domain=osc.allmedia.no Links None References None Severity Name Port Category Status Medium Sensitive Cookie Missing 'HTTPONLY' Attribute 80/tcp Web Application Fail Description The application does not utilize HTTP-only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of successful Cross-site Scripting attacks by not allowing cookies with the "HttpOnly" flag to be accessed via client-side scripts. An attacker can easily steal a user's session if the attacker is able to manipulate the Javascript. This vulnerability has a very high security impact if the site is also vulnerable to Cross Site Scripting (XSS). CVSS Score 4.3 CVSS Fingerprint AV:N/AC:M/Au:N/C:P/I:N/A:N Solution Set the "HTTPONLY" flag for cookies containing sensitive information, particularly session tokens. Details Protocol http Port 80 Read Timeout 10000 Method GET Path / Headers Host=osc.allmedia.no HttpOnly attribute is not used: osCsid=g3R2YA7THKKxLEnUAC_nsvUkk2mnYyKSPP4oTdeS5xjUGdRwFa8cW8cbUjE7P7yd; path=/; domain=osc.allmedia.no Protocol http Port 80 Read Timeout 10000 Method GET Path / Headers Via=%22Xx%3CXaXaXXaXaX%3ExXx%27%3B%22%2C%29%60 HttpOnly attribute is not used: osCsid=wiuXw5J0rJwZLoKtDxdNRhAbgxbesrgvRjgDUlO7eb48jhNrL6vCeXZziHm2cQQ3; path=/; domain=osc.allmedia.no Links None References None
acidvertigo Posted December 6, 2012 Posted December 6, 2012 If you are on 2.3.x you can patch the cookie with this fix https://github.com/acidvertigo/oscommerce2/commit/7f9ffb9e6ccc6a6305c0f755f94c51a1943b1aae
www.in.no Posted December 7, 2012 Author Posted December 7, 2012 Tanks for pointing out the directions.....
ken0306 Posted April 10, 2013 Posted April 10, 2013 If you are on 2.3.x you can patch the cookie with this fix https://github.com/acidvertigo/oscommerce2/commit/7f9ffb9e6ccc6a6305c0f755f94c51a1943b1aae would this patch apply to osc 2.2 version? thank you ken
Jack_mcs Posted April 11, 2013 Posted April 11, 2013 Yes, the fix is the same. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons
ken0306 Posted April 11, 2013 Posted April 11, 2013 For some reason, I also follow the patch, it doesn't work with my 2.2 shopping cart. So, I have to add the extra line under .htaccess line <IfModule php5_module> php_value session.cookie_httponly true </IfModule> For 2.2 version, so I believe it must be the server configuration problem. so it is only for reference.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.