Missing Secure Flag & HttpOnly Flag From SSL Cookie - OWA
Hello, I'm a bit stuck on this issue for a few days and hoping to get some help on this...
We are running Exchange 2010 /w SP1 Rollup 6. Server is running great and OWA is on 443. We have two servers for Exchange. One if running the Transport and Mailbox, and the other is CAS. We use IBM for firewall / IDS and we run scheduled penatration tests.
We came back with two vulnerabilities:
1) Missing HttpOnly Flag From Cookie
2) Missing Secure Flag From SSL Cookie
Their solution is to:
Add the HttpOnly to all cookies and Add the Secure flag to cookies sent over SSL
I tried adding this line and playing with the boolean with no luck:
<httpCookies httpOnlyCookies="false" requireSSL="true" domain="" />
I set this in the web.config under Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa
If I turn httpOnlyCookies="true" it will break OWA
Any help would be appreicated ! Thanks :)Will
February 15th, 2012 4:28pm
Xiu - I am having the exact same issue with vulnerability scan results. Our PCI QSA requires that we have documentation if we intend to ignore the reported vulnerability. Unfortunately, a conversational post on TechNet won't meet that documentation requirements.
Can you direct me to any resources from Microsoft that describe the fact that the HTTPOnly flag isn't set and the Secure flag is missing? And also that describe the best practices and safeguards in the code for OWA to prevent against cross site scripting?
Thank you - Corey
Free Windows Admin Tool Kit Click here and download it now
March 20th, 2012 9:42am
Hi Xiu,
We also have this vulnerability and we need a fix or a supporting documents if we cannot apply a fix. I appreciate if you could give us info.
Thanks!
April 10th, 2012 8:13pm
I am having the exact same issue with vulnerability scan results. Our PCI QSA requires that we have documentation if we intend to ignore the reported vulnerability. Can you direct me to any resources from Microsoft that describe the fact that the HTTPOnly
flag isn't set and the Secure flag is missing? And also that describe the best practices and safeguards in the code for OWA to prevent against cross site scripting?
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2012 2:25am
We could benefit from this information, as well. One of our customers had a 3rd-party security audit conducted, and they cited the fact that our web application does not use secure cookies as a potential vulnerability. They asked us to "fix" this by setting
the following entry in the web.config file: <httpCookies requireSSL="true" />.
June 11th, 2012 9:15am
I also could use supporting documentation. Has anyone found that?
Free Windows Admin Tool Kit Click here and download it now
July 30th, 2012 2:30pm
did you fix this issue..
August 9th, 2012 11:43am
Did you fix this vulnerability. I'm also getting this on the PCI scan result. I need to find out how to fix this.
Free Windows Admin Tool Kit Click here and download it now
August 9th, 2012 11:43am
I have not found a fix as of yet. Currently going to file for an "exception" with my Security Team and see if that will satisfy them. All traffic for the sites in question
occurs across a secure internal network, so thats the angle Im playing.
August 9th, 2012 2:02pm
Did anyone ever find documentation or a workaround for this? We are trying to complete our PCI compliance and this is one of the last things we are failing on.
Free Windows Admin Tool Kit Click here and download it now
September 5th, 2012 2:11pm
I'm having the same issue with a vulnerability scan picking up the missing secure attribute. Microsoft needs to fix this rather saying it is "by design".
October 9th, 2012 4:47am
Tippers,
We were able to request an exception from our ASV, since the only fix I could find broke OWA.
Hope this helps...
Free Windows Admin Tool Kit Click here and download it now
October 9th, 2012 9:29am
Xiu can you direct me to any resources from Microsoft that describes the fact that the HTTPOnly flag from cookie is missing and the Secure flag from SSL Cookie is missing also?
October 15th, 2012 1:48pm