[Openstack-security] [Bug 1461154] Re: Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy browsers
Brian Tully
brian.tully at hp.com
Thu Jun 11 21:13:10 UTC 2015
ahh nevermind, I see that the "won't fix" was assigned to "ossa" :)
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1461154
Title:
Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy
browsers
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed (private)
security vulnerabilities before their coordinated publication by the
OpenStack Vulnerability Management Team in the form of an official
OpenStack Security Advisory. This includes discussion of the bug or
associated fixes in public forums such as mailing lists, code review
systems and bug trackers. Please also avoid private disclosure to
other individuals not already approved for access to this information,
and provide this same reminder to those who are made aware of the
issue prior to publication. All discussion should remain confined to
this private bug report, and any proposed fixes should be added to the
bug as attachments.
Vulnerability Details
A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag
on a malicious page.
Impact
An attacker could use XFS to devise a Clickjacking attack to conduct phishing, frame sniffing,
social engineering or Cross-Site Request Forgery attacks.
Recommendations
Set the HTTP X-Frame-Options header to one of the following:
DENY - deny any frames
SAMEORIGIN - frames are only allowed from the same origin
ALLOW-FROM - a list of allowable origin's
Although many pages within Horizon 1.1 leverage the X-Frame-Options
header with the recommended SAMEORIGIN policy, some (still popular)
older browsers don’t support this setting. Namely, browsers older
than IE 8 and Firefox 3.6.9 don’t recognize the header and are thus
vulnerable to an attack known as ClickJacking unless an additional
mitigating control is present.
To support legacy browsers, a suggested best practice is to add a
frame breaking script to the base/global template file. Based off of
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-
for-now_Legacy_Browser_Frame_Breaking_Script
"""
One way to defend against clickjacking is to include a "frame-breaker"
script in each page that should not be framed. The following
methodology will prevent a webpage from being framed even in legacy
browsers, that do not support the X-Frame-Options-Header.
In the document HEAD element, add the following:
First apply an ID to the style element itself:
<style id="antiClickjack">body{display:none !important;}</style>
And then delete that style by its ID immediately after in the script:
<script type="text/javascript">
if (self === top) {
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = self.location;
}
</script>
This way, everything can be in the document HEAD and you only need one
method/taglib in your API.
"""
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1461154/+subscriptions
More information about the Openstack-security
mailing list