You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "D, Dwarakesh" <Dw...@xerox.com> on 2015/03/31 11:27:42 UTC

Cross site Vulnerability in Apache2.2.11

Hello,

One of our application is running on Tomcat and the requests are being redirected by Apache to Tomcat.
When we did vulnerability scan for that application, we have encountered Cross-site scripting vulnerability. For remediating this, I have added below snippet in httpd.conf file and did a  fresh scan.
But still the vulnerability is visible in the scan report. Can you advise me how to put a fix for this.

Below lines are added in the httpd.conf file and the apache version is 2.2.11
Header always append X-Frame-Options SAMEORIGIN
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure



Thanks,
Dwarak

Re: Cross site Vulnerability in Apache2.2.11

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dwarak,

On 3/31/15 5:27 AM, D, Dwarakesh wrote:
> One of our application is running on Tomcat and the requests are 
> being redirected by Apache to Tomcat.

Do you mean proxied and not redirected?

> When we did vulnerability scan for that application, we have 
> encountered Cross-site scripting vulnerability. For remediating
> this, I have added below snippet in httpd.conf file and did a
> fresh scan.

> But still the vulnerability is visible in the scan report. Can you 
> advise me how to put a fix for this.

Do you actually understand the vulnerability? It may be fixed but the
tool is too stupid to be able to detect it. Or, you may have patched
it incorrectly.

Would you care to post the CVE, and maybe where you got the solution?

> Below lines are added in the httpd.conf file and the apache version
> is 2.2.11 Header always append X-Frame-Options SAMEORIGIN Header
> edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

You should make sure that the Set-Cookie header modification is
appropriate; some cookies might need to work in non-secure contexts.
You are better-off making sure that cookies are not created unless the
context is secure, and that they always have the "Secure" flag.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVGox5AAoJEBzwKT+lPKRY1QkP/10RqULXCmJ6cWhfFbCfrfcf
czRpOPdo8jOi0Z6EufqaLbr5dmI4bJSOKvu4bjOhl3XBGAvL/Rv9gLuBo4k77rhr
zzyo4nKZh0nsOZWNNAT4BF97xJVZNYlH/z2nL1Cnv1SBHgbx5+qjlXPX3kxIcx3k
rLh/9xHLi4rSguT2DagIwUpqiNSIYzxaCq4Lxwcafah2JVUHSO7bHA2a52yh4Xv1
xx3hR8MAsBimIlORwMvA2umInQjlSk1oKiqsfaEZdEYkezMK6/pt6rqNU1mWq1Lf
YW5ypIDDf/u7veTL7KUuUlBwxjsOwByqzIXkDbF2hTMrZxI5V57nf14+83JmbNrT
jZT+qps3gnm8H14/pxkum6K96TPKG8K7NDRQY5I4AJF1TuP1YQBiPcYUI06m7JdQ
VDwoPd6/jOSgvTEGv/vHgJ/drfxFMHKkg3KtLCMef5gkxODKwHQnUUWBPL+I9nNt
JJTmJ2kmBfBg1kja/2TyUy8hglAh024obUIiFInIEcmExozxXd4CsDcDp6rwVst3
oncUIb037pmon01wZ4hcDpcYgeB95H1AVqUpQ+yqvf7V8kPLh8JRxmttUmsqocp6
f7qsC4l8w5YZOVjF+0C0Y69S2FJ/O2WZYztE03k2igUsx/rz4YZh4w/JiE0cblUO
k2EM6H0ccKJtIykNDq3x
=OX2B
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org