Anyone else come across this? Security ran a scan and the K1000 and K2000 both have this vulnerabilty.

ISSUE: "Missing HttpOnly Atribute in Session Cookie"

There was some question here at my orginization about whether the 5.5 upgrade addressed it, but I didn't see any reference in the release notes or elsewhere so I don't think it was addressed.

The "Fix recommendation" is to "Add the 'HttpOnly' attribute to all session cookies. This sounds like something Kace support would have to do, but if it's a big deal and isn't already done, then I would expect it's not done for a reason.

Any info at all on this odd ball would be great.

 

Thanks,

3 Comments   [ + ] Show Comments

Comments

  • What are you using for a Security scan?
  • Hi Mary, Thanks for replying.

    Scan tool==> IBM AppScan - We're a tiered setup and a different group runs the scan. We have plenty of other internal and external sites, but as far as I know, only our K1000 and K2000 came up with it.
  • I have asked a few engineers and they have not seen this. Can you open a ticket with KACE technical support and provide the scan information. Ask for the ticket to be assigned to Mary.
Please log in to comment

There are no answers at this time

Answers

Answer this question or Comment on this question for clarity

Share