Thanks - I've submitted a bug report, hopefully to the right place. https://sourceforge.net/p/cosign/bugs/16/
-geoff On 18 Feb 2015, at 15:26, Jorj Bauer <j...@isc.upenn.edu> wrote: > The site's back as of a few minutes ago. (Apologies for interruption, > everyone; migrating to github has been a bit rocky.) > > -- Jorj > > > On Feb 18, 2015, at 5:28 AM, LEE Geoffrey <g....@ed.ac.uk> wrote: > >> Hi Folks, >> >> I recently noticed a few things while auditing one of our web applications >> for XSS vulnerabilities. >> >> 1. The Cosign filter in version 3.2 supports setting the HttpOnly flag on >> service cookies >> 2. This option isn't documented anywhere I can find (though it's mentioned >> in the release notes) [1] >> 3. It's not enabled by default >> >> Given that stealing a user's service cookie via XSS provides an attacker >> with the ability to log into $service for as long as that user's cosign >> session is active, is there any reason why this feature is not enabled by >> default in the filter and server? >> >> Is the lack of documentation a bug, or is the feature not considered >> complete for some reason? >> >> Thanks for any clarification - if a bug report would be more >> useful/appropriate I'll submit one as soon as the site comes back :-) >> >> -geoff >> >> >> 1. Readable on >> http://sourceforge.net/projects/cosign/files/cosign/cosign-3.2.0/ >> ___________________________________ >> * NB: I do not work Wednesday PM * >> >> Geoff Lee <g....@ed.ac.uk> >> Senior Computing Officer >> Edinburgh College of Art >> University of Edinburgh >> Hunter Building, >> Lauriston Place, >> Edinburgh, Scotland, >> EH8 9DF >> Tel: +44 (0)131 650 2341 >> Twitter: @eca_it >> ___________________________________ >> >> >> >> -- >> The University of Edinburgh is a charitable body, registered in >> Scotland, with registration number SC005336. >> >> >> ------------------------------------------------------------------------------ >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >> with Interactivity, Sharing, Native Excel Exports, App Integration & more >> Get technology previously reserved for billion-dollar corporations, FREE >> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk >> _______________________________________________ >> Cosign-discuss mailing list >> Cosign-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/cosign-discuss > ___________________________________ * NB: I do not work Wednesday PM * Geoff Lee <g....@ed.ac.uk> Senior Computing Officer Edinburgh College of Art University of Edinburgh Hunter Building, Lauriston Place, Edinburgh, Scotland, EH8 9DF Tel: +44 (0)131 650 2341 Twitter: @eca_it ___________________________________ -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss