Potential security issues fixed in 5.0.5
We fixed the following potential security problems in the web version:
- the url that was used to retrieve images contained the name and port of the resource server. This information could be used to perform a port scan. We now use a url that does not contain that information.
- The HTTP headers X-PoweredBy and Server are now no longer sent to the client. The information in these headers was not used by Blaise and could be used to attack the web server and/or web application
- The ASP.NET cookie was not secure (the Secure Flag was not set). Also, the HttpOnly flag was not set which could be used by a cross-site scripting attack. Blaise doesn't use the ASP.NET cookie, so we modified web.config to not send the cookie anymore.
- Password fields do no longer have an autocomplete attribute.