Hi All,
There are some issues reported during the security scan for notes application. Category of these issues are as below :
- Missing Secure Attribute in Encrypted Session (SSL) Cookie
- Cross-Site Scripting
- Missing HttpOnly Attribute in Session Cookie
- Cross-Site Request Forgery
This application also has web interface so, in one web page we have one view where each document is the link. we are opening these documents by their unid of the document.
example : https://www-wi-sso3.toronto.ca.ibm.com:445/procurement/abrs/abrsprodivt.nsf/b88193ddf8cf79e78625664b0055716d/72aac60f79e14b2a85257bf7001fe8cd?OpenDocument https://www-wi-sso3.toronto.ca.ibm.com:445/procurement/abrs/abrsprodivt.nsf/b88193ddf8cf79e78625664b0055716d/72aac60f79e14b2a85257bf7001fe8cd?OpenDocument
Now, Security scanner admins are trying to alter the url by different means like replacing ‘OpenDocument’ by some values and which is showing error message which is obvious because that url does not exist. By doing so, they are saying that it can show some sensitive data ( customer session and cookies ) now sure how.
As the website interface is also created from notes itself so, not sure how to handle http vulnerabilities from notes code. As per my analysis, that can be removed by applying new fix pack on the domino. but latest fixpack ( domino 9.0.1 FP5IF1) is already there in the server where this scanning happened. So, not getting the clue from where to start or whether it is possible to remove or not.
Please suggest something that would be very helpful.
Thanks in Advance!!!