Uploaded image for project: 'Openfire'
  1. Openfire
  2. OF-942 CVE-2015-6972 CVE-2015-6973 Admin Console Security Improvements
  3. OF-997

Admin Console: Frameable Response (potential Clickjacking)

    XMLWordPrintable

    Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.0.0
    • Fix Version/s: 4.1.0
    • Component/s: None
    • Labels:
      None
    • Environment:
      Openfire v4.0.0 (alpha), with the following plugins installed: Broadcast (v1.9.0), Client Control (v1.2.0) and Monitoring Service (v1.4.7).
    • Acceptance Test - Entry:
      Hide

      Openfire returns X-Frame-Options header with value DENY.

      Show
      Openfire returns X-Frame-Options header with value DENY.
    • Expected Effort:
      Minimal

      Description

      Spotted during vulnerability assessment with BurpSuite run (v1.6.31), against Openfire v4.0.0 (alpha), with the following plugins installed: Broadcast (v1.9.0), Client Control (v1.2.0) and Monitoring Service (v1.4.7).

      Issue remediation
      To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.

        Attachments

          Activity

            People

            • Assignee:
              dwd Dave Cridland
              Reporter:
              timd Tim Durden
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: