- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- Server Management - Systems Insight Manager
- >
- Who Me Too'd this topic
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
Who Me Too'd this topic
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-01-2012 11:50 AM
10-01-2012 11:50 AM
Reported vulnerability for HP System Management Homepage
After running a security audit we were hit with the following vulnerability on several servers and wanted to see if there was a fix for this vulnerability. Thx Don
Running System Management Homepage version 9.1.0-301
Nexpos Vulnerbility: Missing HttpOnly Flag From Cookie
Desc:
HttpOnly is an additional flag included in a Set-Cookie HTTP response header. If supported by the browser, using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie. If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website.
Proof:
Cookie is not marked as HttpOnly: 'Compaq-HMMD=0001-7b8369c9-f2cf-324f-8386-5528bd04faaf-1347655641042214; path=/; secure; domain=ServerName'
URL: http://ServerName:2301/login.jsp
Cookie is not marked as HttpOnly: 'Compaq-HMMD=0001-352c1600-b869-8b48-801f-861859867f56-1347655641479017; path=/; secure; domain=ServerName'
URL: https://ServerName:2381/exchange/default.asp
Nexpos Solution:
Add the HttpOnly to all cookies
For each cookie generated by your web-site, add the "HttpOnly" flag to the cookie. For example:
Set-Cookie: <name>=<value>[; <Max-Age>=<age>]
[; expires=<date>][; domain=<domain_name>]
[; path=<some_path>][; secure][; HttpOnly]
- Tags:
- SMH