Closed gbonny1982 closed 3 years ago
fichtner
commented
4 years ago Are you security-auditing the HTTP (Port 80) -> HTTPS (Port 443) redirect? If unsure you can diagnose this by turning off the redirect under System: Settings: Administration and run the audit again.
In general the report would mention target IP+Port and other metrics that are relevant to the audit, but I don't see them here.
gbonny1982
commented
4 years ago GSA reports for both systems: 443/tcp ( should have added that before :) )
"Disable web GUI redirect rule" was unticked for both systems during the scan (and still is).
gbonny1982
commented
4 years ago I ticked "Disable web GUI redirect rule" on one server, ran the vulnerability test again, but the problem still persists.
OPNsense-bot
commented
3 years ago This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.
I'm running opnsense both 20.1.9_1 and 20.7 on ESXi 6.7. Now I ran a vulnerability scan with Greenbone Security Advisor Community Edition which reports the following for both systems:
_Summary The host is running a server with SSL/TLS and is prone to information disclosure vulnerability. Detection Result
The cookies: Set-Cookie: PHPSESSID=replaced; path=/ are missing the "secure" attribute.
Summary The application is missing the 'httpOnly' cookie attribute Detection Result
The cookies: Set-Cookie: PHPSESSID=replaced; path=/ are missing the "httpOnly" attribute._
I'm using:
I tried ticking/unticking HSTS but that didn't help either. Am I doing something wrong, what else can I check or is it a bug? Let me know what further information is required to assess this issue. I've seen release notes 17.7 stating these things should be added / fixed, but GSA reports otherwise.