Hi I was using OpenVAS on one of the internal Centos host and I found this vulnerability? Does anyone know how to close this up on a Server with Apache running ssl with php.
Code:
High (CVSS: 6.4)
NVT: Missing Secure Attribute SSL Cookie Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.902661)
Overview: The host is running a server with SSL and is prone to information
disclosure vulnerability.
Vulnerability Insight:
The flaw is due to SSL cookie is not using 'secure' attribute, which
allows cookie to be passed to the server by the client over non-secure
channels (http) and allows attacker to conduct session hijacking attacks.
remote systems.
Impact Level: Application
Affected Software/OS:
Server with SSL.
Workaround:
Set the 'secure' attribute for any cookies that are sent over an SSL connection.
References:
http://www.ietf.org/rfc/rfc2965.txt
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)
In php.ini I section I made this change:
Code:
session.cookie_secure = 1
Did a service httpd restart and re-scanned and it made no difference.
Also added this into the httpd.conf, to rewerite all standard httpd to https and rescanned and it made no difference.
Code:
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
A little confused and noobed by this as I need to make these cookies secure.
Could not see anything in the ssl.conf
Can anyone explain in basic terms how to lock this up?
Thanks
