Thanks for your help with these issues. Im caught up with this secure cookie issue. It seems like these PCI Compliance scanners dont really believe that these things are problems, but there software identified something and they need to justify signing off on it. This is a message from the scan tech...Originally Posted by DrByte
"Sorry, we will need a response that addresses this vulnerability in order to provide an exception. You will need to either add the secure flag or provide a statement that there is no sensitive data in the cookie."
Can someone please give me an answer that I could give that explains that there is no sensitive date in the cookie or directions on how to add the secure flag? (I realize I could just write the statement, "there is no sensitive date in the cookie", I just figure if it includes some kind of technical explanation they will be quick to accept it. I just really need to stop spending time on this.)
thanks for any help.
Thread: PCI Compliance/code injection
Results 11 to 14 of 14
-
20 May 2013, 02:57 PM #11
New Zenner
- Join Date
- Apr 2013
- Posts
- 10
- Plugin Contributions
- 0
Re: PCI Compliance/code injection
-
20 May 2013, 08:22 PM #12
Sensei
- Join Date
- Jan 2004
- Posts
- 66,373
- Blog Entries
- 7
- Plugin Contributions
- 274
Re: PCI Compliance/code injection
How Zen Cart uses cookies:
http://www.zen-cart.com/content.php?317-cookies.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
-
18 Mar 2019, 02:00 PM #13
Totally Zenned
- Join Date
- Nov 2007
- Location
- Woodbine, Georgia, United States
- Posts
- 4,018
- Plugin Contributions
- 61
Re: PCI Compliance/code injection
I am recently getting a bunch of reports for
Details: SSL/TLS: Missing `secure` Cookie Attribute (NVT:1.3.6.1.4.1.25623.1.0.902661)
Version used: $Revision: 4686 $
References:CVSS v2 Vector: (Av:n/ac:l/au:n/c
/i/a:n)
CVE: NOCVE
BID: NOBIDCERT:XREF:
URL: http://www.ietf.org/rfc/rfc2965.txt , URL: https://www.owasp.org/index.php/Test...(OWASP-SM-002)
I have already supplied them this page https://www.zen-cart.com/content.php?317-cookies
I have received this fail from Carts 1.54 & PHP 5.6 as well as carts 1.5.5F & PHP 7.1.
My question is, since it seems to be raining these, is there a way to change the carts so that they are setting the 'secure' attribute?
~MelaniePRO-Webs, Inc. :: Recent Zen Cart Projects :: Zen Cart SEO – 12 Steps to Success
**I answer questions in the forum, private messages are NOT answered. You are welcome to contact us via our website for professional engagements.
-
19 Mar 2019, 11:40 PM #14
Sensei
- Join Date
- Jan 2004
- Posts
- 66,373
- Blog Entries
- 7
- Plugin Contributions
- 274
Re: PCI Compliance/code injection
Discussed at: Cookies
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Reply With Quote
Bookmarks