|
Message-ID: <20150727132808.GA23000@lakka.kapsi.fi> Date: Mon, 27 Jul 2015 16:28:08 +0300 From: Henri Salo <henri@...v.fi> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org, Alex Tselegidis <alextselegidis@...il.com> Subject: CVE request: Easy!Appointments 1.0 Missing HTTPOnly flag -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Product: Easy!Appointments Open Source Appointment Scheduler Product URL: http://easyappointments.org/ Vendor: Alex Tselegidis Vulnerability Type: Information Exposure (CWE-200) Vulnerable Versions: 1.0 Fixed Version: next release Vendor Notification: 2015-04-03 Solution Status: Fixed by Misha Tavkhelidze Solution Date: 2015-06-04 Public Disclosure: 2015-07-27 Vulnerability Details: Easy!Appointments do not include the HTTPOnly flag in a Set-Cookie header for a 'ci_session' cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. Fixed in following commit: https://github.com/alextselegidis/easyappointments/commit/e3273582213849e46e6ff5296be1f169bd96399d References: https://www.owasp.org/index.php/HttpOnly https://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie - -- Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJVtjHoAAoJECet96ROqnV0HjQQAISCtCcmPC+0fdBlr5hMmxc7 /zrVGSmxlpk+MIhQrUoVSlCWOJAsCTTz2gO28fsMMm+9lT5sMTrI0MnKvNfXw4Nt 6fusZBfShFlFTbiE6IcwSTWkeNYIAT9o4R8Gdj5KOx34NWdpbCoGLcfBOzabULTq tSBtpcl122bm9ekkQq5C7Fcih5WXOdT+DnQQzOaUc/CUgoEIysrKZSmERXIHalgR Hz3GzWqJ9i3r4CbveDW2YZeLwVb8rmnpzwtR48UmhJU6kzw1feaHpbcuECeSaPL5 sYC1QbmKublMI1eiMYKMRzDaoQz2KBUmfDPahiczV9o6PYGb1INnrliAtm1JE1xH 001PsT0alzk83pQL+aQGs4isI/8sXebPiYbsPuAcpJYTE5Znsa1hDlMlkmyOhEnY F3llTwMr/oWbdvfFRID93ugj9uTG+kJn1kY/DqDDCet7pTzsxse9DIpei6CF8yJl wtnXPb2CDUrY6hY4mQ/ii57Emq7XemtzByReXNssTwFdrJej+SKSacNwHsBkd9to dRdJHLupWgzny4g8Q237EdqyBbF6w6nv5XLbCJhlYDeAQDdc7vi6k94udrUgwyDP s5nqM7GOD2ANc8pxideRCZeb5UX6AUaYHsGY2s1aiX1o/h7z6KWEVOTpDO3FGTEo HZF0Fr4yxBVr+ELoWpE4 =6/cR -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.