Closed Xitro01 closed 2 years ago
Thanks, I will have a look ASAP.
I've added some hardening, can you please test again?
All good now! Only thing I would like to add is the XSS security header (should've mentioned that straight away):
Header set X-XSS-Protection "1; mode=block"
These changes give the application the basic security hygiene that every web application should have. Not really necessary to retest that last change, you may close this issue when this is added!
Thanks for your quick response!
P.S. What version of Spotweb is this docker currently running (is it 1.5.1)? This might help in creating a CVE for the XSS issue.
Thanks for the heads up! I've added the XSS protection header.
The build checks out the master branch, I can't find any version tags in the repo.
As can be seen in this issue, I've found a XSS in the spotweb application: https://github.com/spotweb/spotweb/issues/718
Also I found a couple of other security issues related to the used Apache webserver of this docker, I assume that this has nothing to do with the core application, but with how this docker has been configured.
My advice is to harden the used Apache server (configuration):