Admin Console: Frameable Response (potential Clickjacking)

Description

Spotted during vulnerability assessment with BurpSuite run (v1.6.31), against Openfire v4.0.0 (alpha), with the following plugins installed: Broadcast (v1.9.0), Client Control (v1.2.0) and Monitoring Service (v1.4.7).

Issue remediation
To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.

Environment

Openfire v4.0.0 (alpha), with the following plugins installed: Broadcast (v1.9.0), Client Control (v1.2.0) and Monitoring Service (v1.4.7).

Activity

Show:
Dave Cridland
December 16, 2016, 11:30 AM

Found during 4.1.0 Beta testing to be open for general admin console, but not plugins.

Tim Durden
November 14, 2016, 1:59 PM

Closing.

Dave Cridland
December 11, 2015, 12:01 PM

Fixed by PR 442, now set by an option adminConsole.frame-options which defaults to "deny".

Fixed
Your pinned fields
Click on the next to a field label to start pinning.

Assignee

Dave Cridland

Reporter

Tim Durden

Expected Effort

Minimal