Servoy Forum

After security risk scan i got 2 threats.
1- 150120 Session Cookie (Authentication Related) Does Not Contain The "secure" Attribute.
2- 150124 Clickjacking - Framable Page.
What can cause this and how to work around it?
Thanks

the session cookie needs to be configured in by the container (so tomcat: https://geekflare.com/secure-cookie-flag-in-tomcat/)

the other one i think can also be solved in the container, tomcat has a filer for that

https://support.ptc.com/help/thingworx/ ... omcat.html

I made the change for cookies but still, The Chrome cookie viewer does not show secure

<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>

and you access it through https ?
If you do that you need to check it your self and look correctly at the tomcat/war configurating because the last time i checked this it worked fine

It seems that the change we made took care of the Cookies problem, however, the new scan report shows this error "150162 Use of JavaScript Library with Known
Vulnerability", it suggests upgrading the jQuery library and TinyMCE the question here Which version we should use for both of them and how we can upgrade.
Keep in mind that we are using Servoy version 2020.3.0.3562.
Thanks

those can't be upgraded by a user (not with hacking)
Those updates needs to be done by Servoy, problem is that TinyMCE will for NG1 very likely not be updated anymore.

Johan do you have a version of Servoy that does have the security vulnerabilities? They claim you must be at least at 3.5.0 for jQuery and 5.4 for TinyMCE.
Will Servoy fix these vulnerabilities in their LTS version?

i will have a look for 2021.03 to upgrade our libs. (angular,jquery and will also have a look if TinyMCE is possible)

one problem is that i think that the claim "do use jquery 3.5 or later"
can potentially break a lot of components and custom html in an servoy solution. So we need to restore that legacy behavior: https://jquery.com/upgrade-guide/3.5/#d ... the-change
by default for now.

After making the suggested changes for Session Cookie and Clickjacking, the Media Field (IMAGE_MEDIA) element stopped working. We can no longer upload images. When you click on the load media folder a pop-up appears with a sad face "website.com refused to connect".
Can anyone help fix the Media Field element?

what is exactly the request you see in the chrome dev tools when you do an upload?
what is the response and request exactly?

I'm not sure where to find what you want in the dev tools. Here is the error in the console:
Refused to display 'https://xyz.com/servoy-webclient/?x=68j1QO31odfVcx*YVy9AubrAgt5C49Cm' in a frame because it set 'X-Frame-Options' to 'deny'.

ok then that is only fixable by using X-Frame-Options: SAMEORIGIN
because you need to allow iframes to the same host.

Sorry for my ignorance, but could you provide details on what I need to change?
Thanks.

you did change something that did set this:

X-Frame-Options' to 'deny'

and that can't be the change can only be

X-Frame-Options' to 'sameorigin'

I don't see anything like that in what I changed. I added the following to the file D:\Servoy_V9.1\application_server\server\webapps\ROOT\WEB-INF\web.xml

Code: Select all

<session-config>
<session-timeout>30</session-timeout>
            <cookie-config>
                        <http-only>true</http-only>
                        <secure>true</secure>
            </cookie-config>   
</session-config>

    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
            <param-name>hstsEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>hstsMaxAgeSeconds</param-name>
            <param-value>31536000</param-value>
        </init-param>
        <init-param>
            <param-name>hstsIncludeSubDomains</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
   
    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>