皆様、いつも参考にさせて頂いております。
当方のmoodleシステムがMicroFocusの脆弱性検査において
Cookie関連で3つ脆弱性を指摘されております。
恥ずかしい話、この対処をどのようにしたらよいか分からず
対処方法をご教示頂けたら幸いでございます。
【MicroFocusより指摘された脆弱性】
1.
This policy states that any area of the website or web application that
contains sensitive information or access to privileged functionality such as remote site
administration requires that all cookies are sent via SSL during an SSL session.
The URL: https://xxxxx/seminar/auth/saml/index.php has failed this policy.
If a cookie is marked with the "secure" attribute,
it will only be transmitted if the communications channel with the host is a secure one.
Currently this means that secure cookies will only be sent to HTTPS (HTTP over SSL) servers.
If secure is not specified, a cookie is considered safe to be sent in the clear over unsecured channels.
2.
Cookies are small bits of data that are sent by the web application but stored locally in the browser.
This lets the application use the cookie to pass information between pages and store variable information.
The web application controls what information is stored in a cookie and how it is used.
Typical types of information stored in cookies are session Identifiers,
personalization and customization information, and in rare cases even usernames to enable automated logins.
There are two different types of cookies: session cookies and persistent cookies.
Session cookies only live in the browser's memory, and are not stored anywhere.
Persistent cookies, however, are stored on the browser's hard drive.
This can cause security and privacy issues depending on the information stored in the cookie and how it is accessed.
Persistent cookies are stored on the browsing clients hard drive even when
that client is no longer browsing the Web site that set the client.
Depending on what information is stored in the cookie, this could lead to security and privacy violations.
The Office of Management and Budget has decreed that no federal websites shall use persistent cookies except in very specific situations.
3.
A username was found in the query string of a GET request or Set-Cookie header.
Unknown application testing seeks to uncover new vulnerabilities in both custom and commercial software.
Because of this, there are no specific patches or descriptions for this issue.
以下の環境にてMoodleが稼働している状況でございます。
OS:Windows NT GSV001 10.0 build 14393 (Windows Server 2016) i586
moodleバージョン:3.4 (Build: 20171113)
PHPバージョン:7.0.26RC1
session関連の設定
Local Value Master Value
session.cookie_domain no value no value
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path /seminarp/ /
session.cookie_secure On Off
session.use_cookies On On
session.use_only_cookies On On
以上、宜しくお願い致します。