[Openstack-security] [Bug 1461154] Re: Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy browsers
OpenStack Infra
1461154 at bugs.launchpad.net
Fri Jul 3 02:53:14 UTC 2015
** Changed in: horizon
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1461154
Title:
Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy
browsers
Status in OpenStack Dashboard (Horizon):
Fix Committed
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
Vulnerability Details
A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag
on a malicious page.
Impact
An attacker could use XFS to devise a Clickjacking attack to conduct phishing, frame sniffing,
social engineering or Cross-Site Request Forgery attacks.
Recommendations
Set the HTTP X-Frame-Options header to one of the following:
DENY - deny any frames
SAMEORIGIN - frames are only allowed from the same origin
ALLOW-FROM - a list of allowable origin's
Although many pages within Horizon 1.1 leverage the X-Frame-Options
header with the recommended SAMEORIGIN policy, some (still popular)
older browsers don’t support this setting. Namely, browsers older
than IE 8 and Firefox 3.6.9 don’t recognize the header and are thus
vulnerable to an attack known as ClickJacking unless an additional
mitigating control is present.
To support legacy browsers, a suggested best practice is to add a
frame breaking script to the base/global template file. Based off of
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-
for-now_Legacy_Browser_Frame_Breaking_Script
"""
One way to defend against clickjacking is to include a "frame-breaker"
script in each page that should not be framed. The following
methodology will prevent a webpage from being framed even in legacy
browsers, that do not support the X-Frame-Options-Header.
In the document HEAD element, add the following:
First apply an ID to the style element itself:
<style id="antiClickjack">body{display:none !important;}</style>
And then delete that style by its ID immediately after in the script:
<script type="text/javascript">
if (self === top) {
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = self.location;
}
</script>
This way, everything can be in the document HEAD and you only need one
method/taglib in your API.
"""
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1461154/+subscriptions
More information about the Openstack-security
mailing list