1 rneube Oct 21, 2008 14:12
3 rneube Oct 21, 2008 15:49
Hi, thank you for your post. I know we are not sending sensitive info. However, it is a vulnerability cat 3 for PCI (High). I guess we could run the whole application under SSL. That would solve the problem. However, I think that to fix this issue would be a good addition to B2Evolution. Thank you!
4 blueyed Oct 22, 2008 00:27
Well, hijacking the cookie means hijacking the account it is used for..! So it's a security issue after all.
But there's no other solution than using https only, since the cookie is required and it can only get transmitted securely over https.
It would be good to have a feature like "Bind login to current IP address", which would make hijacking the cookie much more difficult, of course. As far as I know this feature does not exist and isn't planned.
5 rneube Oct 22, 2008 15:04
Well, the point is... if you are running an ecommerce website and you are required to be PCI Compliant (as is being enforced now at least in the US), you will not be able to run this blog, unless you use https which will take more resources from the server. For the credit card industry, this is an important vulnerability, so the developers will have to figured out how to fix it. We had to remove the whole application.
Hi meube,
No sensitive info is stored in the cookie, hijacking the cookie will not result in a potential hack of the blog.
I don't think your security compliance provider will believe that. As I get it from your question they want the cookie sent over SSL. I will forward this question to an expert.
Good luck