Project

General

Profile

Actions
Copy link

Bug #7503

closed

Web Interface and possible app configuration issue

Added by Andrew Hardy over 8 years ago. Updated over 8 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
04/30/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.3.3_1
Affected Plus Version:
Affected Architecture:

Description

Version: 2.3.3_1
Vulnerability Scanner: OpenVas
Possible Vulnerability #1: SSL/TLS: Missing `secure` Cookie Attribute
- Extra Info:

The cookies:

Set-Cookie: PHPSESSID=***replaced***; path=/

are missing the "secure" attribute.

Possible Vulnerability #2: Missing `httpOnly` Cookie Attribute
- Extra Info:

The cookies:

Set-Cookie: PHPSESSID=***replaced***; path=/

are missing the "httpOnly" attribute.

A forum post from 2014, Bug #4069, appeared to identify similar problem related to Cookie_Test. I don't know enough to determine if this one is a false positive or not. Seeking clarity. If it is a false positive, it would be nice to make changes to avoid the false positive from triggering in vulnerability scanners. Seeking clarity here.

Cheers,
A

Actions
Copy link

Also available in: Atom PDF