Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: EE-3.3.0.GA_P02, 4.0
-
Fix Version/s: EE-4.0.0.GA, EE-3.3.0.GA_P03, 4.1
-
Component/s: Push Library
-
Labels:None
-
Environment:All
-
Assignee Priority:P1
-
Support Case References:Support Case #13126 - https://icesoft.my.salesforce.com/5007000000rqkNj
Description
A security scan has flagged the ice.push.browser Cookie for noting having a secure and httpOnly attributes.
Summary
--------------------------------------------------------------------------------------------------------------------------
Report Vulnerable - ice.push.browser Cookie has problem(s)
Severity Low
SmartAttack Cookie Vulnerabilities
--------------------------------------------------------------------------------------------------------------------------
Message
--------------------------------------------------------------------------------------------------------------------------
ice.push.browser Cookie has problem(s)
ice.push.browser = hi2xevbo8;
Host = cdm-test.kyisc.us.ams1907.com;
Path = /
1. Cookie does not have secure attribute.
2. Cookie does not have HTTPOnly attribute.
Summary
--------------------------------------------------------------------------------------------------------------------------
Report Vulnerable - ice.push.browser Cookie has problem(s)
Severity Low
SmartAttack Cookie Vulnerabilities
--------------------------------------------------------------------------------------------------------------------------
Message
--------------------------------------------------------------------------------------------------------------------------
ice.push.browser Cookie has problem(s)
ice.push.browser = hi2xevbo8;
Host = cdm-test.kyisc.us.ams1907.com;
Path = /
1. Cookie does not have secure attribute.
2. Cookie does not have HTTPOnly attribute.
Activity
| Field | Original Value | New Value |
|---|---|---|
| Assignee | Mircea Toma [ mircea.toma ] | |
| Fix Version/s | EE-4.0.0.GA [ 11170 ] | |
| Fix Version/s | EE-3.3.0.GA_P03 [ 11571 ] | |
| Assignee Priority | P1 [ 10010 ] |
| Repository | Revision | Date | User | Message |
| ICEsoft Public SVN Repository | #43809 | Thu Dec 11 12:03:00 MST 2014 | mircea.toma | |
| Files Changed | ||||
MODIFY
/icepush/trunk/icepush/core/src/main/java/org/icepush/PushContext.java
|
| Status | Open [ 1 ] | Resolved [ 5 ] |
| Resolution | Fixed [ 1 ] |
Need to verify that this change doesn't have any negative impacts on jMeter or other load testing scripts that need to populate the cookie into synthetic HTTP requests.
Customer has asked if the following other cookies can have these changes made as well:
• ice.connection.lease
• ice.connection.running
• ice.connection.contextpath
• ice.pushids
Show
Arran Mccullough
added a comment - Customer has asked if the following other cookies can have these changes made as well:
• ice.connection.lease
• ice.connection.running
• ice.connection.contextpath
• ice.pushids
| Resolution | Fixed [ 1 ] | |
| Status | Resolved [ 5 ] | Reopened [ 4 ] |
The cookies mentioned above are not set by the server and thus they cannot receive the httpOnly attribute.
Show
Mircea Toma
added a comment - The cookies mentioned above are not set by the server and thus they cannot receive the httpOnly attribute.
| Status | Reopened [ 4 ] | Resolved [ 5 ] |
| Resolution | Fixed [ 1 ] |
| Fix Version/s | 4.1 [ 11570 ] |
This change was reverted by ICE-10352 changes. This was by mistake or on purpose?
Show
Lukasz Koniecki
added a comment - This change was reverted by ICE-10352 changes. This was by mistake or on purpose?
It was on purpose. There are cases in ICEpush when ice.push.browser cookie is set from Javascript.
Show
Mircea Toma
added a comment - It was on purpose. There are cases in ICEpush when ice.push.browser cookie is set from Javascript.
| Status | Resolved [ 5 ] | Closed [ 6 ] |
Made 'ice.push.browser' cookie secure and have HttpOnly access.