Bug 713477

Summary: [RFE] RHN Satellite / Spacewalk: Enable HTTPOnly cookies support in Satellite / Spacewalk (CWE-79)
Product: Red Hat Satellite 5 Reporter: Jan Lieskovsky <jlieskov>
Component: WebUIAssignee: Michael Mráka <mmraka>
Status: CLOSED ERRATA QA Contact: Martin Minar <mminar>
Severity: medium Docs Contact:
Priority: medium    
Version: 541CC: cperry, csuleski, d.muturi, jhutar, jpazdziora, jskrabal, mkoci, mminar, mmraka, mzazrivec, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20110915,reported=20110522,source=secalert,impact=none,cvss2=0
Fixed In Version: spacewalk-config-1.2.2-7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-15 17:55:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 622406, 677498    

Description Jan Lieskovsky 2011-06-15 14:09:22 UTC 
Implementing support for HTTPOnly cookies (access allowed only for server
and prohibited for client script) in Red Hat Network Satellite / Spacewalk
services could block exploitation of some XSS flaws.

References:
[1] http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html
[2] http://stackoverflow.com/questions/528405/which-browsers-do-support-httponly-cookies
[3] https://www.owasp.org/index.php/HttpOnly
[4] http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie
[5] http://w2spconf.com/2010/papers/p25.pdf
[6] http://stackoverflow.com/questions/33412/how-do-you-configure-httponly-cookies-in-tomcat-java-webapps
Comment 5 Clifford Perry 2011-06-15 17:50:36 UTC 
*** Bug 710620 has been marked as a duplicate of this bug. ***
Comment 23 errata-xmlrpc 2011-09-15 17:55:57 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-1299.html
Comment 24 Michael Mráka 2011-09-16 09:19:48 UTC 
The issue has been addressed in Spacewalk master by
commit a779c73eab6a65f38a03d8fb27b06cc1f71842fc
    713477 - made session cookies httponly

Fixed package: spacewalk-config-1.6.2-1