jgeusebroek
commented
2 years ago Thanks, I will have a look ASAP.
Closed Xitro01 closed 2 years ago
jgeusebroek
commented
2 years ago Thanks, I will have a look ASAP.
jgeusebroek
commented
2 years ago I've added some hardening, can you please test again?
Xitro01
commented
2 years ago All good now! Only thing I would like to add is the XSS security header (should've mentioned that straight away):
Header set X-XSS-Protection "1; mode=block"
These changes give the application the basic security hygiene that every web application should have. Not really necessary to retest that last change, you may close this issue when this is added!
Thanks for your quick response!
P.S. What version of Spotweb is this docker currently running (is it 1.5.1)? This might help in creating a CVE for the XSS issue.
jgeusebroek
commented
2 years ago Thanks for the heads up! I've added the XSS protection header.
The build checks out the master branch, I can't find any version tags in the repo.
As can be seen in this issue, I've found a XSS in the spotweb application: https://github.com/spotweb/spotweb/issues/718
Also I found a couple of other security issues related to the used Apache webserver of this docker, I assume that this has nothing to do with the core application, but with how this docker has been configured.
My advice is to harden the used Apache server (configuration):