[Spacewalk-list] HTTPOnly cookie tag
Pierre Casenove
pcasenove at gmail.com
Mon Aug 29 10:28:51 UTC 2011
Hello,
My security team has run vulnerability tests ont spacewalk 1.5 and found 2
issues:
- One XSS flow on forgot password page
- Missing HTTPOnly tag in the cookie.
I've tried to add HTTPOnly tag in the cookie using mod_headers with apache,
but the Overwiew page fails with error "Session error" when we add it.
This is the only page failing from my quick tests.
Is the cookie accessed from javascripts in spacewalk? Could it be possible
to correct it?
I'll post later for the XSS flaw, I still need more information to give to
you.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20110829/f33b850e/attachment.htm>
More information about the Spacewalk-list
mailing list