Project

General

Profile

Actions
Copy link

Bug #7503

closed

Web Interface and possible app configuration issue

Added by Andrew Hardy over 8 years ago. Updated over 8 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
04/30/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.3.3_1
Affected Plus Version:
Affected Architecture:

Description

Version: 2.3.3_1
Vulnerability Scanner: OpenVas
Possible Vulnerability #1: SSL/TLS: Missing `secure` Cookie Attribute
- Extra Info:

The cookies:

Set-Cookie: PHPSESSID=***replaced***; path=/

are missing the "secure" attribute.

Possible Vulnerability #2: Missing `httpOnly` Cookie Attribute
- Extra Info:

The cookies:

Set-Cookie: PHPSESSID=***replaced***; path=/

are missing the "httpOnly" attribute.

A forum post from 2014, Bug #4069, appeared to identify similar problem related to Cookie_Test. I don't know enough to determine if this one is a false positive or not. Seeking clarity. If it is a false positive, it would be nice to make changes to avoid the false positive from triggering in vulnerability scanners. Seeking clarity here.

Cheers,
A

Actions
Copy link
 #1

Updated by Jim Pingle over 8 years ago

  • Status changed from New to Rejected

Are you sure your scanner is hitting the firewall and not being redirected to another web service?

Looking at the cookies set in my browser when accessing various pfSense firewalls, they have appropriate flags set on the cookies.

Actions
Copy link

Also available in: Atom PDF