Hello, My security team has run vulnerability tests ont spacewalk 1.5 and found 2 issues: - One XSS flow on forgot password page - Missing HTTPOnly tag in the cookie.
I've tried to add HTTPOnly tag in the cookie using mod_headers with apache, but the Overwiew page fails with error "Session error" when we add it. This is the only page failing from my quick tests. Is the cookie accessed from javascripts in spacewalk? Could it be possible to correct it? I'll post later for the XSS flaw, I still need more information to give to you. Thanks
_______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
