Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-13262

Cookies are stored without http-only attribute which makes them vulnerable against XSS attacks.

    Details

    • Team:
      Team A
    • Sprint:
      Sprint 11, Sprint 12, Sprint 13, Sprint 14, Sprint 15, Sprint 16, Sprint 17, Sprint 18, Sprint 19, Sprint 20, Sprint 21
    • Story Points:
      4

      Description

      Customer wrote:

      We are a customer of Zabbix and during a recent test of our network we noticed that the Zabbix application is setting user's session cookies (PHPSESSID and zbx_sessionid) without the 'Http-only' attribute. Setting the Http-Only attribute helps protect the session cookies from being accessed and compromised via Cross-Site Scripting and Javascript attacks.I was not able to find any configurations to make such a change in Zabbix. Do you have any recommendations for me? Or is there a plan to include this configuration?

        Attachments

          Activity

            People

            • Assignee:
              Miks.Kronkalns Miks Kronkalns
              Reporter:
              Miks.Kronkalns Miks Kronkalns
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: