oss-sec mailing list archives
CVE request: Easy!Appointments 1.0 Missing HTTPOnly flag
From: Henri Salo <henri () nerv fi>
Date: Mon, 27 Jul 2015 16:28:08 +0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Product: Easy!Appointments Open Source Appointment Scheduler Product URL: http://easyappointments.org/ Vendor: Alex Tselegidis Vulnerability Type: Information Exposure (CWE-200) Vulnerable Versions: 1.0 Fixed Version: next release Vendor Notification: 2015-04-03 Solution Status: Fixed by Misha Tavkhelidze Solution Date: 2015-06-04 Public Disclosure: 2015-07-27 Vulnerability Details: Easy!Appointments do not include the HTTPOnly flag in a Set-Cookie header for a 'ci_session' cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. Fixed in following commit: https://github.com/alextselegidis/easyappointments/commit/e3273582213849e46e6ff5296be1f169bd96399d References: https://www.owasp.org/index.php/HttpOnly https://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie - -- Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJVtjHoAAoJECet96ROqnV0HjQQAISCtCcmPC+0fdBlr5hMmxc7 /zrVGSmxlpk+MIhQrUoVSlCWOJAsCTTz2gO28fsMMm+9lT5sMTrI0MnKvNfXw4Nt 6fusZBfShFlFTbiE6IcwSTWkeNYIAT9o4R8Gdj5KOx34NWdpbCoGLcfBOzabULTq tSBtpcl122bm9ekkQq5C7Fcih5WXOdT+DnQQzOaUc/CUgoEIysrKZSmERXIHalgR Hz3GzWqJ9i3r4CbveDW2YZeLwVb8rmnpzwtR48UmhJU6kzw1feaHpbcuECeSaPL5 sYC1QbmKublMI1eiMYKMRzDaoQz2KBUmfDPahiczV9o6PYGb1INnrliAtm1JE1xH 001PsT0alzk83pQL+aQGs4isI/8sXebPiYbsPuAcpJYTE5Znsa1hDlMlkmyOhEnY F3llTwMr/oWbdvfFRID93ugj9uTG+kJn1kY/DqDDCet7pTzsxse9DIpei6CF8yJl wtnXPb2CDUrY6hY4mQ/ii57Emq7XemtzByReXNssTwFdrJej+SKSacNwHsBkd9to dRdJHLupWgzny4g8Q237EdqyBbF6w6nv5XLbCJhlYDeAQDdc7vi6k94udrUgwyDP s5nqM7GOD2ANc8pxideRCZeb5UX6AUaYHsGY2s1aiX1o/h7z6KWEVOTpDO3FGTEo HZF0Fr4yxBVr+ELoWpE4 =6/cR -----END PGP SIGNATURE-----
Current thread:
- CVE request: Easy!Appointments 1.0 Missing HTTPOnly flag Henri Salo (Jul 27)