© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
demo site
(Get the code!)
Evergreen 3.5.3+
A recent security audit turned up HTTP cookies in Evergreen that are not flagged Secure nor HttpOnly:
* https:/
* https:/
Cookies not flagged as "Secure" will be sent over non-HTTPS connections and may expose information to a potential man-in-the-middle attack.
Cookies not flagged HttpOnly can be accessed by JavaScript and may expose useful data in a cross-site scripting attack.
The cookies set by the Evergreen OPACs and staff clients should be reviewed to set both the Secure and HttpOnly flags where appropriate. Perhaps these flags should be set by default and only removed where necessary?
This is being reported as a public security bug because it triggers failure on automated security audits even though it does not seem to be exploitable in recent Evergreen releases.