PCI Compliance scan report: The cookie does not contain the secure attribute

Created:

2016-11-16 12:44:37 UTC

Modified:

2017-08-16 16:52:40 UTC

0

Was this article helpful?


Have more questions?

Submit a request

PCI Compliance scan report: The cookie does not contain the secure attribute

Applicable to:

  • Plesk 12.5 for Linux

Symptoms

PCI scan report shows the following output:

    THREAT: The cookie does not contain the "secure" attribute.

SOLUTION: If the associated risk of a compromised account is high, apply the "secure" attribute to cookies and force all sensitive requests to be sent via HTTPS.

RESULT: Scan Results page 23
url: https://1.2.3.4:8443/login_up.php3?success_redirect_url=https%3A%2F%2F1.2.3.4%3A8443%2F
Payload: N/A
matched: psaContext=dashboard; path=/; domain=1.2.3.4

Cause

PCI Scanners wrongly treat psaContext as session token.

This is Plesk internal issue with id #PPPM-4811 that was fixed in Plesk Onyx.

Resolution

Upgrade to the latest Plesk version .

If upgrade to Plesk Onyx is not applicable the following can be used:

As workaround you can apply the following patch (for Plesk 12.5 only) which will drop this cookie from the codebase:

  1. Create a backups of /usr/local/psa/admin/plib/Navigation.php and /usr/local/psa/admin/plib/AdminPanel/Controller/Action/Abstract.php on the server:

    # /usr/local/psa/admin/plib/Navigation.php /usr/local/psa/admin/plib/Navigation.php_back
    # /usr/local/psa/admin/plib/AdminPanel/Controller/Action/Abstract.php /usr/local/psa/admin/plib/AdminPanel/Controller/Action/Abstract.php_back
  2. Download patched files Navigation.php , Abstract.php

    # cd /root
    # wget https://support.plesk.com/hc/article_attachments/115004383969/Navigation.zip
    # wget https://support.plesk.com/hc/article_attachments/115004351805/Abstract.zip
  3. Unzip patched files:

    # cd /root
    # unzip Navigation.zip
    # unzip Abstract.zip
  4. Replace these files with patched:

    # cp Navigation.php /usr/local/psa/admin/plib/
    # cp Abstract.php /usr/local/psa/admin/plib/AdminPanel/Controller/Action/

Note: the patch is applicable for 12.5 only

Attachments:

Have more questions? Submit a request
Please sign in to leave a comment.