[Bug 55896] New: Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header.

Tue, 17 Dec 2013 05:53:19 -0800 

https://issues.apache.org/bugzilla/show_bug.cgi?id=55896

            Bug ID: 55896
           Summary: Secure page can be cached in browser.  Cache control
                    is not set in HTTP header nor HTML header.
           Product: Apache httpd-2
           Version: 2.2.15
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_headers
          Assignee: [email protected]
          Reporter: [email protected]

Created attachment 31123
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31123&action=edit
added html headers which made the security flag to disappear.

Hi,
When running OWASP ZAP web security tool, I get the following flag:
Secure page can be cached in browser.  Cache control is not set in HTTP header
nor HTML header.  Sensitive content can be recovered from browser storage.

I was surprised since i had the no cache header in both html code and httpd
header.

After investigating the flag, i noticed that the response was a generic 302
found error response from Apach (located in
apache/src/modules/http/http_protocol.c).

I have added a patch to code when adding the cache-control & pragma html
headers with no-cache - and that had solved the security flag (patch attached).

full response given:
header:
HTTP/1.1 302 Found
Date: Sat, 30 Nov 2013 10:44:40 GMT
Server: Apache
X-Frame-Options: DENY
Location:
https://10.209.0.81/admin/launch?script=rh&template=login&v_error=Incorrect%20user%20id%20or%20password.&f_user_id=ZAP
Content-Length: 376
Content-Type: text/html; charset=iso-8859-1

body:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a
href="https://10.209.0.81/admin/launch?script=rh&amp;template=login&amp;v_error=Incorrect%20user%20id%20or%20password.&amp;f_user_id=ZAP";>here</a>.</p>
<hr>
<address>Apache Server at 10.209.0.81 Port 443</address>
</body></html>


In conclusion:
1. bug is "Secure page can be cached in browser." (found by owasp zap) for
https page response "302 Found" from Apache.

2. recomended solution: add to http_protocol.c the no-cache in html head in
case https was called.

3. test case could be taken from OWASP ZAP on https url.

Would appreciate if it could be fixed, even in a patch manner, and i would test
it localy.

Thanks,
Meir

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to