Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Always use HTTPS, even for ServerStatus #25

Open
daknob opened this issue May 13, 2015 · 0 comments
Open

Always use HTTPS, even for ServerStatus #25

daknob opened this issue May 13, 2015 · 0 comments

Comments

@daknob
Copy link

daknob commented May 13, 2015

The Rewrite Engine Rule in the sample apache configuration ( https://github.com/grnet/zeus/blob/master/conf/apache2_zeus#L29 ) does not redirect to https if the user is visiting /server-status/*.
This can allow an attacker in a privileged network position (MITM) to spoof the entire page and execute malicious JavaScript to a user visiting the page, access all cookies not marked as secure and change the page content for phishing / malware installation.

You are encouraged to add https to all pages regardless of content to avoid the above and similar attacks.
vinilios added a commit that referenced this issue May 24, 2016
@vinilios
Merge branch 'feature/trustee_json' into 'develop'
7dca5b3 
add json info view for trustee

Issue #25

See merge request !18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@daknob