Project

General

Profile

Bug #2419

Possible Clickjacking Vunerability

Added by Laterpay Gmbh about 7 years ago. Updated almost 7 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
-
Target version:
-
Start date:
05/09/2012
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

According to our tests for PCI-DSS certification by a professional security auditing team.

PfSense has a possible Clickjacking Vunerability.

The following is the report..

The web page on port 80 is vulnerable to clickjacking attacks. This attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. To prevent clickjacking in current browsers the X-FRAME-OPTIONS setting can be used. This response header option needs to be set on each site. In an ASP.NET environment this can be achieved by the command: this.Response.Headers["X-FRAME-OPTIONS"] = "DENY";
If the setting “DENY” is used, the page will never be loaded in a frame. The setting “SAMEORIGIN” allows displaying the page in a frame when the main document’s domain matches that page’s domain.
To protect customers using older browsers, the following JavaScript code should be added to the head of each document:
<style id="antiClickjack">body{display:none}</style> <script type="text/JavaScript">
if (self === top) { var antiClickjack = document.getElementByID("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack);
} else { top.location = self.location;
}</script>
Both clickjacking preventions should be implemented to protect customers.

Associated revisions

Revision babac37a (diff)
Added by Scott Ullrich about 7 years ago

Add click jacking support. Ticket #2419

Revision c886fed9 (diff)
Added by Jim Pingle about 7 years ago

As suggested by wagonza, using SAMEORIGIN for X-Frame-Options is sufficient here, and does allow the traffic graphs to work. Fixes #2419

History

#1 Updated by Scott Ullrich about 7 years ago

  • Status changed from New to Feedback

#2 Updated by Jim Pingle about 7 years ago

  • Status changed from Feedback to New

Adding this bit in auth.inc broke the realtime traffic graphs:

Header("X-Frame-Options: DENY");

We either need some way to override that behavior, or to back it out.

#3 Updated by Jim Pingle about 7 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#4 Updated by Jim Pingle almost 7 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF