Issues » Missing Cookie Security Attribute “httpOnly”

Issue: SI-24
Date: Apr 21, 2014, 11:00:00 AM
Severity: Low
Requires Admin Access: Yes
Fix Version: 2.5.7
Credit: Internal Security Team

The used session cookie can be read by client side code using JavaScript. This means that a Cross Site Scripting vulnerability in the page allows a attacker to retrieve the session cookie and therefore log in to the administrative interface without a password. A attacker can use this to specifically attack a administrative user and steal his session cookie. Using this cookie the attacker is able to log in to the administrative interface without the username or password.


As a workaround, we suggest using a Application firewall to block access to the admin url externally.