Bug #2419
closed
Possible Clickjacking Vunerability
100%
Description
According to our tests for PCI-DSS certification by a professional security auditing team.
PfSense has a possible Clickjacking Vunerability.
The following is the report..
The web page on port 80 is vulnerable to clickjacking attacks. This attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. To prevent clickjacking in current browsers the X-FRAME-OPTIONS setting can be used. This response header option needs to be set on each site. In an ASP.NET environment this can be achieved by the command: this.Response.Headers["X-FRAME-OPTIONS"] = "DENY";
If the setting “DENY” is used, the page will never be loaded in a frame. The setting “SAMEORIGIN” allows displaying the page in a frame when the main document’s domain matches that page’s domain.
To protect customers using older browsers, the following JavaScript code should be added to the head of each document:
<style id="antiClickjack">body{display:none}</style> <script type="text/JavaScript">
if (self === top) { var antiClickjack = document.getElementByID("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack);
} else { top.location = self.location;
}</script>
Both clickjacking preventions should be implemented to protect customers.
Updated by Scott Ullrich almost 12 years ago
- Status changed from New to Feedback
Updated by Jim Pingle almost 12 years ago
- Status changed from Feedback to New
Adding this bit in auth.inc broke the realtime traffic graphs:
Header("X-Frame-Options: DENY");
We either need some way to override that behavior, or to back it out.
Updated by Jim Pingle almost 12 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset c886fed9ba6a19fface58c918be5d7b111cca1f3.
Updated by Jim Pingle almost 12 years ago
- Status changed from Feedback to Resolved