Admin Console: Frameable Response (potential Clickjacking)

Description

Spotted during vulnerability assessment with BurpSuite run (v1.6.31), against Openfire v4.0.0 (alpha), with the following plugins installed: Broadcast (v1.9.0), Client Control (v1.2.0) and Monitoring Service (v1.4.7).

Issue remediation
To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.

Environment

Openfire v4.0.0 (alpha), with the following plugins installed: Broadcast (v1.9.0), Client Control (v1.2.0) and Monitoring Service (v1.4.7).

Acceptance Test - Entry

Openfire returns X-Frame-Options header with value DENY.

Activity

Show:

Dave Cridland

December 11, 2015, 12:01 PM

Copy link to comment

Fixed by PR 442, now set by an option adminConsole.frame-options which defaults to "deny".

Tim Durden

November 14, 2016, 1:59 PM

Copy link to comment

Closing.

Dave Cridland

December 16, 2016, 11:30 AM

Copy link to comment

Found during 4.1.0 Beta testing to be open for general admin console, but not plugins.

Assignee

Dave Cridland

Reporter

Tim Durden

Labels

None

Expected Effort

Minimal

Ignite Forum URL

None

Fix versions

4.1.0

Affects versions

4.0.0

Priority

Major

Configure