[Openstack-security] [Bug 1461154] Re: Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy browsers

Thierry Carrez thierry.carrez+lp at gmail.com
Thu Oct 15 11:19:25 UTC 2015 

** Changed in: horizon
    Milestone: liberty-2 => 8.0.0

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1461154

Title:
  Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy
  browsers

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Vulnerability Details

  A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag
  on a malicious page.

  Impact

  An attacker could use XFS to devise a Clickjacking attack to conduct phishing, frame sniffing,
  social engineering or Cross-Site Request Forgery attacks.

  Recommendations

  Set the HTTP X-Frame-Options header to one of the following:
  DENY - deny any frames
  SAMEORIGIN - frames are only allowed from the same origin
  ALLOW-FROM - a list of allowable origin's

  Although many pages within Horizon 1.1 leverage the X-Frame-Options
  header with the recommended SAMEORIGIN policy, some (still popular)
  older browsers don’t support this setting.  Namely, browsers older
  than IE 8 and Firefox 3.6.9 don’t recognize the header and are thus
  vulnerable to an attack known as ClickJacking unless an additional
  mitigating control is present.

  To support legacy browsers, a suggested best practice is to add a
  frame breaking script to the base/global template file. Based off of
  https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-
  for-now_Legacy_Browser_Frame_Breaking_Script

  """

  One way to defend against clickjacking is to include a "frame-breaker"
  script in each page that should not be framed. The following
  methodology will prevent a webpage from being framed even in legacy
  browsers, that do not support the X-Frame-Options-Header.

  In the document HEAD element, add the following:

  First apply an ID to the style element itself:

  <style id="antiClickjack">body{display:none !important;}</style>
  And then delete that style by its ID immediately after in the script:

  <script type="text/javascript">
     if (self === top) {
         var antiClickjack = document.getElementById("antiClickjack");
         antiClickjack.parentNode.removeChild(antiClickjack);
     } else {
         top.location = self.location;
     }
  </script>

  This way, everything can be in the document HEAD and you only need one
  method/taglib in your API.

  """

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1461154/+subscriptions

More information about the Openstack-security mailing list