Who Me Too'd this topic

Server Management - Systems Insight Manager

1753779 Members

7898 Online

108799 Solutions

After running a security audit we were hit with the following vulnerability on several servers and wanted to see if there was a fix for this vulnerability. Thx Don

Running System Management Homepage version 9.1.0-301

Nexpos Vulnerbility: Missing HttpOnly Flag From Cookie

Desc:

HttpOnly is an additional flag included in a Set-Cookie HTTP response header. If supported by the browser, using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie. If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website.

Proof:

Cookie is not marked as HttpOnly: 'Compaq-HMMD=0001-7b8369c9-f2cf-324f-8386-5528bd04faaf-1347655641042214; path=/; secure; domain=ServerName'

URL: http://ServerName:2301/login.jsp

Cookie is not marked as HttpOnly: 'Compaq-HMMD=0001-352c1600-b869-8b48-801f-861859867f56-1347655641479017; path=/; secure; domain=ServerName'

URL: https://ServerName:2381/exchange/default.asp

Nexpos Solution:

Add the HttpOnly to all cookies

For each cookie generated by your web-site, add the "HttpOnly" flag to the cookie. For example:

Set-Cookie: <name>=<value>[; <Max-Age>=<age>]

[; expires=<date>][; domain=<domain_name>]

[; path=<some_path>][; secure][; HttpOnly]

Who Me Too'd this topic

Visitor

Me Too date:

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Reported vulnerability for HP System Management Homepage