Messages

1

19.7 Legacy Series / Re: Predictable Session ID Vulnerability

« on: January 21, 2020, 04:17:35 pm »

Thanks for the reply! 

This is not my area of expertise so I wasn't sure if "cookie_test" was a label from the scanner or the name of the actual cookie.

Thanks again for the replies. A very helpful community.   Based on the answers given here I will ask for an "exception" on this false positive.

On that note should I still open a ticket at https://github.com/opnsense/core/issues as suggested by AdSchellevis in case this affects anyone else in the future?

Have a great day!

2

19.7 Legacy Series / Re: Predictable Session ID Vulnerability

« on: January 20, 2020, 11:24:00 pm »

So while I am waiting to hear back from a support agent with our processor, I was able to print out  a little more info. I have attached a picture of the info provided. As soon as I have any more info, I will post that as well.

Thanks!

3

19.7 Legacy Series / Re: Predictable Session ID Vulnerability

« on: January 20, 2020, 05:29:49 pm »

Thanks for the info. The reason I say it is related to OPNsense is it only fails when the GUI is accessable.  If I log into the shell and kill the lighttpd process that runs the GUI the scan passes.

I guess I could leave the GUI dead and do everything from the shell...    Just thought it would be fixable.


Thanks!

4

19.7 Legacy Series / Predictable Session ID Vulnerability

« on: January 20, 2020, 04:46:00 pm »

We have been using OPNsense for a while now and everything has been fine.  Recently we switched credit card processors and now fail a PCI compliance scan becasuse of a "Predictable Sesion ID Vulnerability" on port 443 with OPNsense.  I have searched for a while trying to come up with an answer to fix this and can't figure it out.

Any suggestions? 

Thanks!