ClearFoundation Tracker - ClearOS
View Issue Details
0021711ClearOSwebconfig-httpdpublic2018-10-02 14:332021-11-09 07:47
dloper 
 
normalminoralways
closedfixed 
7.5.0 
7.6.07.6.0 
0021711: HttpOnly flag needs to be set
HttpOnly is an additional flag included in a Set-Cookie HTTP response header. If supported by the browser, using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie. If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website.

Additional Information:

n.n.n.n:81
Cookie is not marked as HttpOnly: 'ci_csrf_token=485aaabce93237fdd26c1dd474576811; path=/; domain=n.n.n.n'
URL: https://n.n.n.n:81/app/base/ [^]

n.n.n.n:81
Cookie is not marked as HttpOnly: 'clearos_lang=en_US; path=/; domain=n.n.n.n'
URL: https://n.n.n.n:81/app/base/ [^]
No tags attached.
Issue History
2018-10-02 14:33dloperNew Issue
2018-10-30 14:08user2Statusnew => acknowledged
2018-10-30 14:27user2Target Version7.5.0 Updates => 7.6.0
2018-11-07 19:50user2Note Added: 0008531
2018-11-07 19:50user2Statusacknowledged => resolved
2018-11-07 19:50user2Fixed in Version => 7.6.0
2018-11-07 19:50user2Resolutionopen => fixed
2018-11-07 19:50user2Assigned To => user2
2021-11-09 07:47NickHStatusresolved => closed
2021-11-09 07:47NickHAssigned Touser2 =>

Notes
(0008531)
user2   
2018-11-07 19:50   
The ci_csrf_token does not have HTTPOnly set (javascript needs this for submitting CSRF protected data). All other cookies have HTTPOnly enabled.