- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- Server Management - Systems Insight Manager
- >
- Re: Reported vulnerability for HP System Managemen...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-01-2012 11:50 AM
10-01-2012 11:50 AM
Reported vulnerability for HP System Management Homepage
After running a security audit we were hit with the following vulnerability on several servers and wanted to see if there was a fix for this vulnerability. Thx Don
Running System Management Homepage version 9.1.0-301
Nexpos Vulnerbility: Missing HttpOnly Flag From Cookie
Desc:
HttpOnly is an additional flag included in a Set-Cookie HTTP response header. If supported by the browser, using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie. If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website.
Proof:
Cookie is not marked as HttpOnly: 'Compaq-HMMD=0001-7b8369c9-f2cf-324f-8386-5528bd04faaf-1347655641042214; path=/; secure; domain=ServerName'
URL: http://ServerName:2301/login.jsp
Cookie is not marked as HttpOnly: 'Compaq-HMMD=0001-352c1600-b869-8b48-801f-861859867f56-1347655641479017; path=/; secure; domain=ServerName'
URL: https://ServerName:2381/exchange/default.asp
Nexpos Solution:
Add the HttpOnly to all cookies
For each cookie generated by your web-site, add the "HttpOnly" flag to the cookie. For example:
Set-Cookie: <name>=<value>[; <Max-Age>=<age>]
[; expires=<date>][; domain=<domain_name>]
[; path=<some_path>][; secure][; HttpOnly]
- Tags:
- SMH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2014 01:27 PM
03-18-2014 01:27 PM
Re: Reported vulnerability for HP System Management Homepage
In the same boat here. Ran the same exact scan with the same vulnerability found. There is nothing on HP's website that even acknowledges this. Is this something we have to live with? Can we get a feature request put in to change this setting?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2014 06:43 AM
03-20-2014 06:43 AM
Re: Reported vulnerability for HP System Management Homepage
Finally got to the bottom of this issue. I opened a ticket with the HP's software security response team (SSRT). Here is the reply to the specific vulnerability from Rapid7's Nexpose scan.
***************************************
From: HP SSRT Security Alert [mailto:security-alert@hp.com]
Sent: Wednesday, March 19, 2014 2:46 PM
Subject: Re: HP System Management Homepage (SMH) Missing HttpOnly Flag from Cookie
Hello,
Thank you for contacting the HP Software Security Response Team (SSRT).
HP Product Engineering for System Management Homepage (SMH) evaluated the Missing HttpOnly Flag from Cookie issue and has provided the following position statement…
The reported vulnerability i.e. Missing HttpOnly Flag from Cookie is a client
side defense mechanism and not a vulnerability, where HTTP-only cookies cannot be
accessed by client side script attack (XSS).
The HTTP-only cookies denotes the cookies that are not visible
through the DOM i.e. not permitting a script to access an HTTP-only cookie.
Thus, mitigating the risk of client side script accessing the protected cookie.
But, HTTP-only cookies do not prevent all XSS exploits and using them is *not a
substitute for eliminating XSS vulnerabilities*.
It is a setting which cannot be relied on as all the browsers do not
support it.
There is no way to control the version of the browser used by the end
user.
We have implemented sure ways of defending XSS attacks (server side input
validation, input and output encoding) in SMH which are server side settings
and prevent such attacks from taking place.
Thus the reported vulnerability Missing HttpOnly Flag from Cookie is not a
true vulnerability.
Yours truly,
Software Security Response Team (SSRT)
Hewlett-Packard Company
**********************************
So there you have it. Some times it's by design and the scan is just over reactive.
Just on a other side note while I was searching. If you turn this on, it could break some apps. In the Microsoft OWA world, breaks it. Apache and others alike, results may very.
Dirte