-
-
Hello,
Somone from the outside pointed a possible flaw on our system. I just upgraded from 1.14.3 to 1.14.8 and plan to go futher but will require upgraded php ect. Can anyone confirm if this is indeed an issue or?
The details of it are as follows:-
Summary:
X-Frame-Options ALLOW-FROM not supported by several Browser,Steps To Reproduce:
1. Create a new HTML file2. Put <iframe src=”https://mysite.com.com/login.php frameborder=”0″></iframe>
3. Save the file
4. Open document in browser
Impact:
Attacker may tricked user, sending them malicious link then user open it clicked some image and their account unconsciously has been deactivatedSolution:
The vulnerability can be fixed by adding “frame-ancestors ‘self’;” to the CSP (Content-Security-Policy) header.PoC:
<!DOCTYPE html>
<html>
<head>
<meta charset=”UTF-8″>
<meta name=”viewport” content=”width=device-width, initial-scale=1.0″>
<meta name=”description” content=”X-Frame-Bypass: Web Component extending IFrame to bypass X-Frame-Options: deny/sameorigin”>
<title>X-Frame-Bypass Web Component Demo</title>
<style>
html, body {
margin: 0;
padding: 0;
height: 100%;
overflow: hidden;
}
iframe {
display: block;
width: calc(70% – 40px);
height: calc(80% – 40px);
margin: 20px;
}
img {
position: absolute;
top: 0;
right: 0;
}
</style>
<script src=”https://unpkg.com/@ungap/custom-elements-builtin”></script>
<script src=”x-frame-bypass.js” type=”module”></script>
</head>
<body>
<h1>x-frame-bypass in your site</h1>
<iframe is=”x-frame-bypass” src=”https://www.cdcp.cz/mujh depozitar/#/login”></iframe>
</body>
</html>FIX:
Content-Security-Policy: frame-ancestors ‘self’ is better, because it checks all frame ancestors. You should implement a CSP header to avoid these sorts of attacks. Please let me know if you want more information. I hope that you appreciate my ethical disclosure of this vulnerability, expecting a reward as a token of appreciation for this..
-
You must be logged in to reply to this topic.