New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing "secure" and "httpOnly" Cookie Attributes #8330
Comments
httponly is only missing when we are deleting the cookie. Whenever we actually set a value, we use the httponly flag. We do set the Secure attribute when we detect that it is running over ssl but it's possible that is missing something in your setup. What OS are you on and how did you install and run cockpit? |
Running Fedora 27 Server from NetInstall Minimal installation. Installed via: dnf install cockpit It's only accessible via https. |
In that case I'm pretty confident that what you are seeing is just the cookie being deleted. A cookie with any real value should have both the httponly and the secure attributes. |
@petervo Should we set those fields anyway? |
How do I do that so it doesn't fail those checks during the vulnerability scan? |
@tjgruber code needs to change. |
Any progress on this issue? When scanning a new, Fedora 28 host, minimal install, I receive the same 2 vulnerabilities:
I'm using OpenVAS 9 with current definitions. It looks like @tjgruber is using the same tool. I don't have access to any other vulnerability scanners to confirm if they also see the issue. dnf list installed | grep cockpitcockpit-bridge.x86_64 166-1.fc28 @updates uname -a |
In which file do I look for this and where is it located? |
|
Hi,
Running a vulnerability scan against my server using Cockpit results in what the title says, and I cannot find where to fix it. I don't have an Apache config file, or see a config file in /etc/cockpit/cockpit.conf.
Is this a built-in vulnerability in Cockpit or is there a way I can fix it? If not, the only solution I see is to not use Cockpit on public-facing servers. What can I do?
Here's the version I'm running:
Here's the results so you have what I have:
Medium (CVSS: 6.4)
NVT: SSL/TLS: Missing ‘secure‘ Cookie Attribute
Summary
Vulnerability Detection Result
Solution
Affected Software/OS
Vulnerability Insight
Vulnerability Detection Method
References
Medium (CVSS: 5.0)
NVT: Missing ‘httpOnly‘ Cookie Attribute
Summary
Vulnerability Detection Result
Solution
Affected Software/OS
Vulnerability Insight
Vulnerability Detection Method
References
The text was updated successfully, but these errors were encountered: