Always use HTTPS, even for ServerStatus
daknob opened this issue · 0 comments
daknob commented
The Rewrite Engine Rule in the sample apache configuration ( https://github.com/grnet/zeus/blob/master/conf/apache2_zeus#L29 ) does not redirect to https if the user is visiting /server-status/*
.
This can allow an attacker in a privileged network position (MITM) to spoof the entire page and execute malicious JavaScript to a user visiting the page, access all cookies not marked as secure and change the page content for phishing / malware installation.
You are encouraged to add https to all pages regardless of content to avoid the above and similar attacks.