You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2013/12/17 14:52:38 UTC
[Bug 55896] New: Secure page can be cached in browser. Cache
control is not set in HTTP header nor HTML header.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55896
Bug ID: 55896
Summary: Secure page can be cached in browser. Cache control
is not set in HTTP header nor HTML header.
Product: Apache httpd-2
Version: 2.2.15
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: mod_headers
Assignee: bugs@httpd.apache.org
Reporter: meirre@mellanox.com
Created attachment 31123
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31123&action=edit
added html headers which made the security flag to disappear.
Hi,
When running OWASP ZAP web security tool, I get the following flag:
Secure page can be cached in browser. Cache control is not set in HTTP header
nor HTML header. Sensitive content can be recovered from browser storage.
I was surprised since i had the no cache header in both html code and httpd
header.
After investigating the flag, i noticed that the response was a generic 302
found error response from Apach (located in
apache/src/modules/http/http_protocol.c).
I have added a patch to code when adding the cache-control & pragma html
headers with no-cache - and that had solved the security flag (patch attached).
full response given:
header:
HTTP/1.1 302 Found
Date: Sat, 30 Nov 2013 10:44:40 GMT
Server: Apache
X-Frame-Options: DENY
Location:
https://10.209.0.81/admin/launch?script=rh&template=login&v_error=Incorrect%20user%20id%20or%20password.&f_user_id=ZAP
Content-Length: 376
Content-Type: text/html; charset=iso-8859-1
body:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a
href="https://10.209.0.81/admin/launch?script=rh&template=login&v_error=Incorrect%20user%20id%20or%20password.&f_user_id=ZAP">here</a>.</p>
<hr>
<address>Apache Server at 10.209.0.81 Port 443</address>
</body></html>
In conclusion:
1. bug is "Secure page can be cached in browser." (found by owasp zap) for
https page response "302 Found" from Apache.
2. recomended solution: add to http_protocol.c the no-cache in html head in
case https was called.
3. test case could be taken from OWASP ZAP on https url.
Would appreciate if it could be fixed, even in a patch manner, and i would test
it localy.
Thanks,
Meir
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55896] Secure page can be cached in browser. Cache control is
not set in HTTP header nor HTML header.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55896
--- Comment #7 from Eric Covener <co...@gmail.com> ---
(In reply to meirre from comment #6)
> Could you please refer to my question please:
>
> 2. If No "no-cahce" flag was entered in the header, how could the response
> avoid being cached by the browser?
>
> If it is not explicitly mentioned, isn't it a seucrity risk over apache
> generic response?
No idea what you're talking about. Try the users mailing list.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55896] Secure page can be cached in browser. Cache control is
not set in HTTP header nor HTML header.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55896
--- Comment #6 from meirre@mellanox.com ---
Could you please refer to my question please:
2. If No "no-cahce" flag was entered in the header, how could the response
avoid being cached by the browser?
If it is not explicitly mentioned, isn't it a seucrity risk over apache generic
response?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55896] Secure page can be cached in browser. Cache control is
not set in HTTP header nor HTML header.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55896
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--- Comment #2 from Eric Covener <co...@gmail.com> ---
> A response received with any other status code (e.g. status codes 302 and
> 307) MUST NOT be returned in a reply to a subsequent request unless there
> are cache-control directives or another header(s) that explicitly allow it.
> For example, these include the following: an Expires header (section 14.21);
> a "max-age", "s-maxage", "must- revalidate", "proxy-revalidate", "public" or
> "private" cache-control directive (section 14.9).
Sorry, I realize now that Apache did not cache anything, so the above is n/a.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55896] Secure page can be cached in browser. Cache control is
not set in HTTP header nor HTML header.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55896
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |INVALID
--- Comment #5 from Eric Covener <co...@gmail.com> ---
Don't reopen bugs to carry on discussions unless you have some further evidence
of a bug.
The test tool emulates a browser. httpd bugzilla is no place to discuss its
implementation.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55896] Secure page can be cached in browser. Cache control is
not set in HTTP header nor HTML header.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55896
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
OS| |All
--- Comment #1 from Eric Covener <co...@gmail.com> ---
Does it happen on a contemporary maintenance level?
A response received with any other status code (e.g. status codes 302 and 307)
MUST NOT be returned in a reply to a subsequent request unless there are
cache-control directives or another header(s) that explicitly allow it. For
example, these include the following: an Expires header (section 14.21); a
"max-age", "s-maxage", "must- revalidate", "proxy-revalidate", "public" or
"private" cache-control directive (section 14.9).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55896] Secure page can be cached in browser. Cache control is
not set in HTTP header nor HTML header.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55896
meirre@mellanox.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |---
--- Comment #4 from meirre@mellanox.com ---
Hi Eric,
thanks for your response.
Your explanation did not fit the current state.
1. How could you explain that the test returned it as cached?
2. If No "no-cahce" flag was entered in the header, how could the response
avoid being cached by the browser?
3. Do you believe that test case by Owasp ZAP tool is wrong?
I would appreciate if you could recheck it.
Thanks,
Meir
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55896] Secure page can be cached in browser. Cache control is
not set in HTTP header nor HTML header.
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55896
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #3 from Eric Covener <co...@gmail.com> ---
The response was already un-cacheable, see the final sentence below:
10.3.3 302 Found
The requested resource resides temporarily under a different URI.
Since the redirection might be altered on occasion, the client SHOULD
continue to use the Request-URI for future requests. This response
is only cacheable if indicated by a Cache-Control or Expires header
field.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org