Centos – Apache httpOnly Cookie Information Disclosure CVE-2012-0053

apache-2.2centosSecurity

A PCI compliance scan, on a CentOS LAMP server fails with this message. The server header and ServerSignature don't expose the Apache version.

Apache httpOnly Cookie Information Disclosure CVE-2012-0053

Can this be resolved by simply specifying a custom ErrorDocument for the 400 Bad Request response? How is the scanner determining this vulnerability, is it invoking a bad request then looking to see if it's the default Apache 400 response?

Best Answer

This page suggests that it is mitigated by supplying a custom ErrorDocument and that it is resolved in Apache 2.2.22.

Your best bet for verifying this is to make your own ErrorDocument or upgrade Apache and run the scan again.

Related Solutions

Security – IIS 6.0 PCI Compliance – “Information Disclosure Vulnerability”

We needed to UNCHECK "Integrated Windows Authentication" in the site's IIS properties:

right click the website in IIS, click "properties"
click "Directory Security" TAB
under "Authentication and access control", click "Edit"
under "Authenticated access", UNCHECK "integrated windows authentication"

I rescanned after making this change and we passed compliance.

Apache load balancing doesn’t set cookie with route information

I am not sure why it stays with 2. However part of your config is

Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED

env=BALANCER_ROUTE_CHANGED

will be 1 if the router has changed 0 otherwise, so if the route has not changed, then the cookie will not be set unless it needs to change to a new value.

Best Answer

Related Solutions

Security – IIS 6.0 PCI Compliance – “Information Disclosure Vulnerability”

Apache load balancing doesn’t set cookie with route information

Related Topic