Hi,
I found a vulnerability problem on the NCPA agent, the problem is the following:
SSL / TLS: Missing `secure` Cookie Attribute (IP host) (port: 5693)
Set-Cookie: session = eyJyZWRpcmVjdCI6Imh0dHBzOi8vMTAuMTAuMy4xMDQ6NTY5My8ifQ.EFz9CQ.NVUmaIxym3klqP3EUxhdlls5I8o; HttpOnly; Path = /
are missing the "secure" attribute.
What I did was modify the NCPA.CFG configuration file like this:
....
ssl_version = TLSv1_2
ssl_ciphers = ECDHE-RSA-AES256-GCM-SHA384: DHE-RSA-AES256-GCM-SHA384
certificate = adhoc
...
The "Secure" parameter in the Apache server is set like this:
Header always edit Set-Cookie ^ (. *) $ $ 1; HttpOnly; Secure
But it does not seem that NCPA supports the Secure Set-Cookie mode.
Did you also encounter this problem? How did you solve it?
Thank you all!
NCPA 1.9 on Centos 7 Vulnerabities
Re: NCPA 1.9 on Centos 7 Vulnerabities
When you say "NCPA 1.9", do you mean "2.1.9"? There is no version "1.9"...
There is no way to set secure cookie in NCPA, but we don't allow non-ssl connections, so this shouldn't matter.
There is no way to set secure cookie in NCPA, but we don't allow non-ssl connections, so this shouldn't matter.
Be sure to check out our Knowledgebase for helpful articles and solutions!