• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

httponly flag: OWA and PCI compliance

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2010] >> Outlook Web Access >> httponly flag: OWA and PCI compliance Page: [1]
Login
Message << Older Topic   Newer Topic >>
httponly flag: OWA and PCI compliance - 3.Jul.2015 11:14:43 AM   
jago_ff

 

Posts: 1
Joined: 3.Jul.2015
Status: offline
Hi, we are a bit stuck on this issue, we are running Exchange 2010 Server and OWA at 443 port and in this server run a pentest with nexpose and find some security issue, particularly this:

Undefined CVE, Missing HttpOnly Flag
From Cookie

protocol: tcp
port: 443
instance:
/owa/default.asp

Cookie is not marked as HttpOnly: 'cadata=; expires=Thu, 03-Jan-
1970 00:00:00 GMT; path=/; domain=xxx.xx.xxx.xxx'
URL: https://xxx.xx.xxx.xxx/owa/default.asp

Try to find a solution for this we read in technet
https://social.technet.microsoft.com/Forums/forefront/en-US/030da584-81b7-44ee-a554-8ab05dbf3531/missing-secure-flag-httponly-flag-from-ssl-cookie-owa

this answer from a Technet community support member

---
Hi,

We do not set the cookies to HttpOnly because we require access to certain of these cookies from scripts.
So we cannot change this, but we take care to use best practices and safe guards within our code to protect against cross site scripting attacks.

So it is by design.

Xiu Zhang
TechNet Community Support
-----

We try to set <httpCookies httpOnlyCookies="true" requireSSL="true"/> or <httpCookies requireSSL="true" /> in the web.config of OWA but stop working.

We cant fix this vulnerability, and cant find a oficial documentation about this issue

Many people have this question for PCI certification... żany ideas?


thanks and best regards
Post #: 1

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2010] >> Outlook Web Access >> httponly flag: OWA and PCI compliance Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter