topic Re: Reported vulnerability for HP System Management Homepage in Server Management - Systems Insight Manager

Reported vulnerability for HP System Management Homepage

donbbabb — Mon, 01 Oct 2012 18:50:35 GMT

After running a security audit we were hit with the following vulnerability on several servers and wanted to see if there was a fix for this vulnerability. Thx Don

Running System Management Homepage version 9.1.0-301

Nexpos Vulnerbility: Missing HttpOnly Flag From Cookie

Desc:

HttpOnly is an additional flag included in a Set-Cookie HTTP response header. If supported by the browser, using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie. If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website.

Proof:

Cookie is not marked as HttpOnly: 'Compaq-HMMD=0001-7b8369c9-f2cf-324f-8386-5528bd04faaf-1347655641042214; path=/; secure; domain=ServerName'

URL: http://ServerName:2301/login.jsp

Cookie is not marked as HttpOnly: 'Compaq-HMMD=0001-352c1600-b869-8b48-801f-861859867f56-1347655641479017; path=/; secure; domain=ServerName'

URL: https://ServerName:2381/exchange/default.asp

Nexpos Solution:

Add the HttpOnly to all cookies

For each cookie generated by your web-site, add the "HttpOnly" flag to the cookie. For example:

Set-Cookie: <name>=<value>[; <Max-Age>=<age>]

[; expires=<date>][; domain=<domain_name>]

[; path=<some_path>][; secure][; HttpOnly]

Re: Reported vulnerability for HP System Management Homepage

Dirte — Tue, 18 Mar 2014 20:27:35 GMT

In the same boat here. Ran the same exact scan with the same vulnerability found. There is nothing on HP's website that even acknowledges this. Is this something we have to live with? Can we get a feature request put in to change this setting?

Re: Reported vulnerability for HP System Management Homepage

Dirte — Thu, 20 Mar 2014 13:43:10 GMT

Finally got to the bottom of this issue. I opened a ticket with the HP's software security response team (SSRT). Here is the reply to the specific vulnerability from Rapid7's Nexpose scan.

***************************************

From: HP SSRT Security Alert [mailto:security-alert@hp.com]
Sent: Wednesday, March 19, 2014 2:46 PM
Subject: Re: HP System Management Homepage (SMH) Missing HttpOnly Flag from Cookie

Hello,

Thank you for contacting the HP Software Security Response Team (SSRT).

HP Product Engineering for System Management Homepage (SMH) evaluated the Missing HttpOnly Flag from Cookie issue and has provided the following position statement…

The reported vulnerability i.e. Missing HttpOnly Flag from Cookie is a client

side defense mechanism and not a vulnerability, where HTTP-only cookies cannot be

accessed by client side script attack (XSS).

The HTTP-only cookies denotes the cookies that are not visible

through the DOM i.e. not permitting a script to access an HTTP-only cookie.

Thus, mitigating the risk of client side script accessing the protected cookie.

But, HTTP-only cookies do not prevent all XSS exploits and using them is *not a

substitute for eliminating XSS vulnerabilities*.

It is a setting which cannot be relied on as all the browsers do not

support it.

There is no way to control the version of the browser used by the end

user.

We have implemented sure ways of defending XSS attacks (server side input

validation, input and output encoding) in SMH which are server side settings

and prevent such attacks from taking place.

Thus the reported vulnerability Missing HttpOnly Flag from Cookie is not a

true vulnerability.

Yours truly,

Software Security Response Team (SSRT)

Hewlett-Packard Company

**********************************

So there you have it. Some times it's by design and the scan is just over reactive.

Just on a other side note while I was searching. If you turn this on, it could break some apps. In the Microsoft OWA world, breaks it. Apache and others alike, results may very.

Dirte