Bug 713477 - [RFE] RHN Satellite / Spacewalk: Enable HTTPOnly cookies support in Satellite / Spacewalk (CWE-79)
[RFE] RHN Satellite / Spacewalk: Enable HTTPOnly cookies support in Satellite...
Status: CLOSED ERRATA
Product: Red Hat Satellite 5
Classification: Red Hat
Component: WebUI (Show other bugs)
541
All Linux
medium Severity medium
: ---
: ---
Assigned To: Michael Mráka
Martin Minar
public=20110915,reported=20110522,sou...
: Security
: 710620 (view as bug list)
Depends On:
Blocks: 622406 sat541-triage
  Show dependency treegraph
 
Reported: 2011-06-15 10:09 EDT by Jan Lieskovsky
Modified: 2016-07-03 20:56 EDT (History)
12 users (show)

See Also:
Fixed In Version: spacewalk-config-1.2.2-7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-15 13:55:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2011-06-15 10:09:22 EDT
Implementing support for HTTPOnly cookies (access allowed only for server
and prohibited for client script) in Red Hat Network Satellite / Spacewalk
services could block exploitation of some XSS flaws.

References:
[1] http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html
[2] http://stackoverflow.com/questions/528405/which-browsers-do-support-httponly-cookies
[3] https://www.owasp.org/index.php/HttpOnly
[4] http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie
[5] http://w2spconf.com/2010/papers/p25.pdf
[6] http://stackoverflow.com/questions/33412/how-do-you-configure-httponly-cookies-in-tomcat-java-webapps
Comment 5 Clifford Perry 2011-06-15 13:50:36 EDT
*** Bug 710620 has been marked as a duplicate of this bug. ***
Comment 23 errata-xmlrpc 2011-09-15 13:55:57 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-1299.html
Comment 24 Michael Mráka 2011-09-16 05:19:48 EDT
The issue has been addressed in Spacewalk master by
commit a779c73eab6a65f38a03d8fb27b06cc1f71842fc
    713477 - made session cookies httponly

Fixed package: spacewalk-config-1.6.2-1

Note You need to log in before you can comment on or make changes to this bug.