NetLink Posted November 27, 2012 Share Posted November 27, 2012 I'm not sure about PCI Compliance in general, but my vulnerability scanning service is failing after the upgrade to 5.1.2. The test that fails is: Sensitive Cookie Missing 'HTTPONLY' Attribute - Medium Severity 0 Quote Link to comment Share on other sites More sharing options...
malfunction Posted November 27, 2012 Share Posted November 27, 2012 I think this affects all versions, certainly it's also present in 5.0.x: The application does not utilize HTTP-only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of successful Cross-site Scripting attacks by not allowing cookies with the "HttpOnly" flag to be accessed via client-side scripts. An attacker can easily steal a user's session if the attacker is able to manipulate the JavaScript. This vulnerability has a very high security impact if the site is also vulnerable to Cross Site Scripting (XSS). 0 Quote Link to comment Share on other sites More sharing options...
WHMCS CEO Matt Posted November 28, 2012 WHMCS CEO Share Posted November 28, 2012 This must be a new check PCI compliance scanners have introduced. We don't really use that many cookies in WHMCS, apart from the remember me login options we only use the standard PHP session tracking ones which PHP sets itself, and I suspect it's those which it is referring to. For those there is a php.ini file setting which you can adjust to have the HTTP Only attribute set. Just look for the following line in your php.ini file and set it to On, or if not present, add it: session.cookie_httponly = On Matt 0 Quote Link to comment Share on other sites More sharing options...
malfunction Posted November 29, 2012 Share Posted November 29, 2012 That fixed it, thanks Matt. 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.