Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-13262

Cookies are stored without http-only attribute which makes them vulnerable against XSS attacks.

XMLWordPrintable

    • Team A
    • Sprint 11, Sprint 12, Sprint 13, Sprint 14, Sprint 15, Sprint 16, Sprint 17, Sprint 18, Sprint 19, Sprint 20, Sprint 21
    • 4

      Customer wrote:

      We are a customer of Zabbix and during a recent test of our network we noticed that the Zabbix application is setting user's session cookies (PHPSESSID and zbx_sessionid) without the 'Http-only' attribute. Setting the Http-Only attribute helps protect the session cookies from being accessed and compromised via Cross-Site Scripting and Javascript attacks.I was not able to find any configurations to make such a change in Zabbix. Do you have any recommendations for me? Or is there a plan to include this configuration?

            Miks.Kronkalns Miks Kronkalns
            Miks.Kronkalns Miks Kronkalns
            Team A
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: