insecure cookie(port 2083) PCI failure

EWD

Well-Known Member
PartnerNOC
Aug 19, 2003
165
0
166
NY
Here are the latest failures:

2083 - Missing Secure Attribute in an Encrypted Session (SSL) Cookie - The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack. - It is best business practice that any cookies that are sent (set-cookie) over an SSL connection to explicitly state secure on them.

2083 - Potentially Sensitive Information Missing Secure Attribute in an Encrypted Session (SSL) Cookie - The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack. The information that was sent was flagged as being potentially sensitive. Potentially sensitive information could be session tokens, user id's, or passwords. - It is best business practice that any cookies that are sent (set-cookie) over an SSL connection to explicitly state secure on them. Speak with your web developer to have them enable the secure attribute on cookies sent over secure connections.
 

EWD

Well-Known Member
PartnerNOC
Aug 19, 2003
165
0
166
NY
Any ideas on this issue?

Thanks :)
 

EWD

Well-Known Member
PartnerNOC
Aug 19, 2003
165
0
166
NY
Sorry cpanelkenneth

Original report was running on cPanel 11.24.0-C30789
Upgraded today to cPanel 11.24.0-C30898 and the issue is still present.

Thanks ;)
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,608
77
308
cPanel Access Level
Root Administrator
Sorry cpanelkenneth

Original report was running on cPanel 11.24.0-C30789
Upgraded today to cPanel 11.24.0-C30898 and the issue is still present.

Thanks ;)
Thank you. I'll pass this along to the developers.