We're updating the issue view to help you get more done. 

Admin Console: Frameable Response (potential Clickjacking)

Description

Spotted during vulnerability assessment with BurpSuite run (v1.6.31), against Openfire v4.0.0 (alpha), with the following plugins installed: Broadcast (v1.9.0), Client Control (v1.2.0) and Monitoring Service (v1.4.7).

Issue remediation
To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.

Environment

Openfire v4.0.0 (alpha), with the following plugins installed: Broadcast (v1.9.0), Client Control (v1.2.0) and Monitoring Service (v1.4.7).

Acceptance Test - Entry

Openfire returns X-Frame-Options header with value DENY.

Activity

Show:
Dave Cridland
December 11, 2015, 12:01 PM

Fixed by PR 442, now set by an option adminConsole.frame-options which defaults to "deny".

Tim Durden
November 14, 2016, 1:59 PM

Closing.

Dave Cridland
December 16, 2016, 11:30 AM

Found during 4.1.0 Beta testing to be open for general admin console, but not plugins.

Assignee

Dave Cridland

Reporter

Tim Durden

Labels

None

Expected Effort

Minimal

Ignite Forum URL

None

Fix versions

Affects versions

Priority

Major
Configure