NCPA 1.9 on Centos 7 Vulnerabities
Posted: Fri Sep 13, 2019 10:37 am
Hi,
I found a vulnerability problem on the NCPA agent, the problem is the following:
SSL / TLS: Missing `secure` Cookie Attribute (IP host) (port: 5693)
Set-Cookie: session = eyJyZWRpcmVjdCI6Imh0dHBzOi8vMTAuMTAuMy4xMDQ6NTY5My8ifQ.EFz9CQ.NVUmaIxym3klqP3EUxhdlls5I8o; HttpOnly; Path = /
are missing the "secure" attribute.
What I did was modify the NCPA.CFG configuration file like this:
....
ssl_version = TLSv1_2
ssl_ciphers = ECDHE-RSA-AES256-GCM-SHA384: DHE-RSA-AES256-GCM-SHA384
certificate = adhoc
...
The "Secure" parameter in the Apache server is set like this:
Header always edit Set-Cookie ^ (. *) $ $ 1; HttpOnly; Secure
But it does not seem that NCPA supports the Secure Set-Cookie mode.
Did you also encounter this problem? How did you solve it?
Thank you all!
I found a vulnerability problem on the NCPA agent, the problem is the following:
SSL / TLS: Missing `secure` Cookie Attribute (IP host) (port: 5693)
Set-Cookie: session = eyJyZWRpcmVjdCI6Imh0dHBzOi8vMTAuMTAuMy4xMDQ6NTY5My8ifQ.EFz9CQ.NVUmaIxym3klqP3EUxhdlls5I8o; HttpOnly; Path = /
are missing the "secure" attribute.
What I did was modify the NCPA.CFG configuration file like this:
....
ssl_version = TLSv1_2
ssl_ciphers = ECDHE-RSA-AES256-GCM-SHA384: DHE-RSA-AES256-GCM-SHA384
certificate = adhoc
...
The "Secure" parameter in the Apache server is set like this:
Header always edit Set-Cookie ^ (. *) $ $ 1; HttpOnly; Secure
But it does not seem that NCPA supports the Secure Set-Cookie mode.
Did you also encounter this problem? How did you solve it?
Thank you all!