Issues » Missing Cookie Security Attribute “httpOnly”

Issue: SI-24
Date: Apr 21, 2014 3:00:00 PM
Severity: Low
Requires Admin Access: Yes
Fix Version: 2.5.7
Credit: Internal Security Team
Description:

The used session cookie can be read by client side code using JavaScript. This means that a Cross Site Scripting vulnerability in the page allows a attacker to retrieve the session cookie and therefore log in to the administrative interface without a password. A attacker can use this to specifically attack a administrative user and steal his session cookie. Using this cookie the attacker is able to log in to the administrative interface without the username or password.

Workaround:

As a workaround, we suggest using a Application firewall to block access to the admin url externally.

Back to the top