'[oss-security] CVE request: Easy!Appointments 1.0 Missing HTTPOnly flag'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE request: Easy!Appointments 1.0 Missing HTTPOnly flag
From:       Henri Salo <henri () nerv ! fi>
Date:       2015-07-27 13:28:08
Message-ID: 20150727132808.GA23000 () lakka ! kapsi ! fi
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Product: Easy!Appointments Open Source Appointment Scheduler
Product URL: http://easyappointments.org/
Vendor: Alex Tselegidis
Vulnerability Type: Information Exposure (CWE-200)
Vulnerable Versions: 1.0
Fixed Version: next release
Vendor Notification: 2015-04-03
Solution Status: Fixed by Misha Tavkhelidze
Solution Date: 2015-06-04
Public Disclosure: 2015-07-27

Vulnerability Details:

Easy!Appointments do not include the HTTPOnly flag in a Set-Cookie header for a
'ci_session' cookie, which makes it easier for remote attackers to obtain
potentially sensitive information via script access to this cookie.

Fixed in following commit:
    https://github.com/alextselegidis/easyappointments/commit/e3273582213849e46e6ff5296be1f169bd96399d

References:
    https://www.owasp.org/index.php/HttpOnly
    https://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJVtjHoAAoJECet96ROqnV0HjQQAISCtCcmPC+0fdBlr5hMmxc7
/zrVGSmxlpk+MIhQrUoVSlCWOJAsCTTz2gO28fsMMm+9lT5sMTrI0MnKvNfXw4Nt
6fusZBfShFlFTbiE6IcwSTWkeNYIAT9o4R8Gdj5KOx34NWdpbCoGLcfBOzabULTq
tSBtpcl122bm9ekkQq5C7Fcih5WXOdT+DnQQzOaUc/CUgoEIysrKZSmERXIHalgR
Hz3GzWqJ9i3r4CbveDW2YZeLwVb8rmnpzwtR48UmhJU6kzw1feaHpbcuECeSaPL5
sYC1QbmKublMI1eiMYKMRzDaoQz2KBUmfDPahiczV9o6PYGb1INnrliAtm1JE1xH
001PsT0alzk83pQL+aQGs4isI/8sXebPiYbsPuAcpJYTE5Znsa1hDlMlkmyOhEnY
F3llTwMr/oWbdvfFRID93ugj9uTG+kJn1kY/DqDDCet7pTzsxse9DIpei6CF8yJl
wtnXPb2CDUrY6hY4mQ/ii57Emq7XemtzByReXNssTwFdrJej+SKSacNwHsBkd9to
dRdJHLupWgzny4g8Q237EdqyBbF6w6nv5XLbCJhlYDeAQDdc7vi6k94udrUgwyDP
s5nqM7GOD2ANc8pxideRCZeb5UX6AUaYHsGY2s1aiX1o/h7z6KWEVOTpDO3FGTEo
HZF0Fr4yxBVr+ELoWpE4
=6/cR
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic