[ZBX-13262] Cookies are stored without http-only attribute which makes them vulnerable against XSS attacks. Created: 2017 Jun 16 Updated: 2024 Apr 10 Resolved: 2017 Dec 27 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | None |
Affects Version/s: | None |
Fix Version/s: | 2.2.21rc1, 3.0.14rc1, 3.4.5rc1, 4.0.0alpha1, 4.0 (plan) |
Type: | Incident report | Priority: | Trivial |
Reporter: | Miks Kronkalns | Assignee: | Miks Kronkalns |
Resolution: | Fixed | Votes: | 0 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Issue Links: |
|
||||
Epic Link: | DEV-591 | ||||
Team: | Team A | ||||
Team: | Team A | ||||
Sprint: | Sprint 11, Sprint 12, Sprint 13, Sprint 14, Sprint 15, Sprint 16, Sprint 17, Sprint 18, Sprint 19, Sprint 20, Sprint 21 | ||||
Story Points: | 4 |
Description |
Customer wrote: We are a customer of Zabbix and during a recent test of our network we noticed that the Zabbix application is setting user's session cookies (PHPSESSID and zbx_sessionid) without the 'Http-only' attribute. Setting the Http-Only attribute helps protect the session cookies from being accessed and compromised via Cross-Site Scripting and Javascript attacks.I was not able to find any configurations to make such a change in Zabbix. Do you have any recommendations for me? Or is there a plan to include this configuration? |
Comments |
Comment by Miks Kronkalns [ 2017 Nov 23 ] |
Fixed:
|