Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » PCI vulnerability - Cookie Does Not Contain The "secure" Attribute (PCI Compliance)
  •  
blanco

Messages: 6
Karma: -1
Send a private message to this user
I'm running KC 8.5.3. Any help would be appreciated

Threat:
The cookie does not contain the "secure" attribute.

Based on the latest release of the PCI-DSS, this vulnerability is a PCI Fail.
PCI-DSSv3.1 requirement 6.5.10 is focused on secure session management, and refers to session cookies needing to have the "secure" attribute set within the Cardholder Data Environment.
Refer to PCI-DSSv3.1 for details.

Impact:
Cookies with the "secure" attribute are only permitted to be sent via HTTPS. Session cookies sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user impersonation or compromise of the application account.

Solution:
If the associated risk of a compromised account is high, apply the "secure" attribute to cookies and force all sensitive requests to be sent via HTTPS.
  •  
blanco

Messages: 6
Karma: -1
Send a private message to this user
You cannot use links until you have posted more than 5 messages.

So I can't post the detail, but it looks like it's happening on port 8443.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
That's quite strange as both ports 8443 and 443 are HTTPS. Do you have more details about what URL or web page is reported as not compliant with PCI?
  •  
blanco

Messages: 6
Karma: -1
Send a private message to this user
Pavel Dobry (Kerio) wrote on Tue, 10 November 2015 22:26
That's quite strange as both ports 8443 and 443 are HTTPS. Do you have more details about what URL or web page is reported as not compliant with PCI?


I do, but I'm not allowed to post links. I will try to obscure the URL below

FYI - They scanned via IP address rather than domain name.

url: https: / / 65.51.190.173:8443/webmail/login2/./
  •  
blanco

Messages: 6
Karma: -1
Send a private message to this user
It's coming up on port 80 and 443 as well.
Previous Topic: Kerio 8.5.3 and 10.11 Contacts, still problems
Next Topic: Can't delete folder in mailbox
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 24 08:41:37 CET 2017

Total time taken to generate the page: 0.00371 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.