Quantcast
Channel: All Server Management - Systems Insight Manager posts
Viewing all articles
Browse latest Browse all 4342

Re: Reported vulnerability for HP System Management Homepage

$
0
0

Finally got to the bottom of this issue. I opened a ticket with the HP's software security response team (SSRT). Here is the reply to the specific vulnerability from Rapid7's Nexpose scan. 

 

***************************************

 

From: HP SSRT Security Alert [mailto:security-alert@hp.com]
Sent: Wednesday, March 19, 2014 2:46 PM
Subject: Re: HP System Management Homepage (SMH) Missing HttpOnly Flag from Cookie

 

Hello,

 

Thank you for contacting the HP Software Security Response Team (SSRT).

 

HP Product Engineering for System Management Homepage (SMH) evaluated the Missing HttpOnly Flag from Cookie issue and has provided the following position statement…

 

The reported vulnerability i.e. Missing HttpOnly Flag from Cookie is a client

side defense mechanism and not a vulnerability, where HTTP-only cookies cannot be

accessed by client side script attack (XSS).

 

The HTTP-only cookies denotes the cookies that are not visible

through the DOM i.e. not permitting a script to access an HTTP-only cookie.

Thus, mitigating the risk of client side script accessing the protected cookie.

 

But, HTTP-only cookies do not prevent all XSS exploits and using them is *not a

substitute for eliminating XSS vulnerabilities*.

It is a setting which cannot be relied on as all the browsers do not

support it.

There is no way to control the version of the browser used by the end

user.

 

We have implemented sure ways of defending XSS attacks (server side input

validation, input and output encoding) in SMH which are server side settings

and prevent such attacks from taking place.

 

Thus the reported vulnerability Missing HttpOnly Flag from Cookie is not a

true vulnerability.

 

Yours truly,

Software Security Response Team (SSRT)

Hewlett-Packard Company

 

**********************************


So there you have it. Some times it's by design and the scan is just over reactive.

 

Just on a other side note while I was searching. If you turn this on, it could break some apps. In the Microsoft OWA world, breaks it. Apache and others alike, results may very. 

 

Dirte


Viewing all articles
Browse latest Browse all 4342

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>