Re: Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header.

2013-12-18 Thread Mark Phippard 
This is not the right mailing list.

You posted this to the users@ mailing list for Subversion.

You can find the users@ list for the Apache HTTP Server on this web page:

http://httpd.apache.org/lists.html#http-users




On Wed, Dec 18, 2013 at 10:22 AM, Meir Renford  wrote:

>  Hi,
>
> I was referred to this mailing list regarding this bug:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=55896#add_comment
>
>
>
> When running OWASP ZAP web security tool, I get the following flag:
>
> Secure page can be cached in browser.  Cache control is not set in HTTP 
> header nor HTML header.  Sensitive content can be recovered from browser 
> storage.
>
>
>
> I was surprised since I had the no cache header in both html code and httpd 
> header.
>
>
>
> After investigating the flag, I noticed that the response was a generic 302 
> found error response from Apache (located in 
> apache/src/modules/http/http_protocol.c).
>
>
>
> full response given:
>
> header:
>
> HTTP/1.1 302 Found
>
> Date: Sat, 30 Nov 2013 10:44:40 GMT
>
> Server: Apache
>
> X-Frame-Options: DENY
>
> Location: 
> https://10.209.0.81/admin/launch?script=rh&template=login&v_error=Incorrect%20user%20id%20or%20password.&f_user_id=ZAP
>
> Content-Length: 376
>
> Content-Type: text/html; charset=iso-8859-1
>
>
>
> body:
>
> 
>
> 
>
> 302 Found
>
> 
>
> Found
>
> The document has moved  href="https://10.209.0.81/admin/launch?script=rh&template=login&v_error=Incorrect%20user%20id%20or%20password.&f_user_id=ZAP
>  
> ">here.
>
> 
>
> Apache Server at 10.209.0.81 Port 443
>
> 
>
>
>
>
>
> In conclusion:
>
> 1. Issue is "Secure page can be cached in browser." (found by owasp zap) for 
> https page response "302 Found" from Apache.
>
> 2. Apache httpd bugs team indicated that this is not a bug in their side.
>
>
>
> I fail to understand then,
>
> 1. If No "no-cahce" flag was entered in the header, how could the response 
> avoid being cached by the browser?
>
> 2. If it is not explicitly mentioned, isn't it a security risk over apache 
> generic response?
>
>
>
> Would appreciate your help/advice.
>
>
>
> Thanks,
>
> Meir
>
>
>



-- 
Thanks

Mark Phippard
http://markphip.blogspot.com/

Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header.

2013-12-18 Thread Meir Renford 
Hi,
I was referred to this mailing list regarding this bug: 
https://issues.apache.org/bugzilla/show_bug.cgi?id=55896#add_comment


When running OWASP ZAP web security tool, I get the following flag:

Secure page can be cached in browser.  Cache control is not set in HTTP header 
nor HTML header.  Sensitive content can be recovered from browser storage.



I was surprised since I had the no cache header in both html code and httpd 
header.



After investigating the flag, I noticed that the response was a generic 302 
found error response from Apache (located in 
apache/src/modules/http/http_protocol.c).



full response given:

header:

HTTP/1.1 302 Found

Date: Sat, 30 Nov 2013 10:44:40 GMT

Server: Apache

X-Frame-Options: DENY

Location: 
https://10.209.0.81/admin/launch?script=rh&template=login&v_error=Incorrect%20user%20id%20or%20password.&f_user_id=ZAP

Content-Length: 376

Content-Type: text/html; charset=iso-8859-1



body:





302 Found



Found

The document has moved https://10.209.0.81/admin/launch?script=rh&template=login&v_error=Incorrect%20user%20id%20or%20password.&f_user_id=ZAP";>here.



Apache Server at 10.209.0.81 Port 443







In conclusion:

1. Issue is "Secure page can be cached in browser." (found by owasp zap) for 
https page response "302 Found" from Apache.

2. Apache httpd bugs team indicated that this is not a bug in their side.



I fail to understand then,

1. If No "no-cahce" flag was entered in the header, how could the response 
avoid being cached by the browser?

2. If it is not explicitly mentioned, isn't it a security risk over apache 
generic response?



Would appreciate your help/advice.



Thanks,

Meir