Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy browsers
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Dashboard (Horizon) |
Fix Released
|
Low
|
Brian Tully | ||
| OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
Bug Description
Vulnerability Details
A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag
on a malicious page.
Impact
An attacker could use XFS to devise a Clickjacking attack to conduct phishing, frame sniffing,
social engineering or Cross-Site Request Forgery attacks.
Recommendations
Set the HTTP X-Frame-Options header to one of the following:
DENY - deny any frames
SAMEORIGIN - frames are only allowed from the same origin
ALLOW-FROM - a list of allowable origin's
Although many pages within Horizon 1.1 leverage the X-Frame-Options header with the recommended SAMEORIGIN policy, some (still popular) older browsers don’t support this setting. Namely, browsers older than IE 8 and Firefox 3.6.9 don’t recognize the header and are thus vulnerable to an attack known as ClickJacking unless an additional mitigating control is present.
To support legacy browsers, a suggested best practice is to add a frame breaking script to the base/global template file. Based off of https:/
"""
One way to defend against clickjacking is to include a "frame-breaker" script in each page that should not be framed. The following methodology will prevent a webpage from being framed even in legacy browsers, that do not support the X-Frame-
In the document HEAD element, add the following:
First apply an ID to the style element itself:
<style id="antiClickja
And then delete that style by its ID immediately after in the script:
<script type="text/
if (self === top) {
var antiClickjack = document.
} else {
top.location = self.location;
}
</script>
This way, everything can be in the document HEAD and you only need one method/taglib in your API.
"""
| Jeremy Stanley (fungi) wrote | #1 |
| Changed in ossa: | |
| status: | New → Incomplete |
| description: | updated |
| Jeremy Stanley (fungi) wrote | #2 |
| Lin Hua Cheng (lin-hua-cheng) wrote | #3 |
| Jeremy Stanley (fungi) wrote | #4 |
| Brian Tully (brian-tully) wrote | #5 |
| Lin Hua Cheng (lin-hua-cheng) wrote | #6 |
| Brian Tully (brian-tully) wrote | #7 |
| Tristan Cacqueray (tristan-cacqueray) wrote | #8 |
| Changed in ossa: | |
| status: | Incomplete → Won't Fix |
| information type: | Private Security → Public |
| Brian Tully (brian-tully) wrote | #9 |
| Brian Tully (brian-tully) wrote | #10 |
| Changed in horizon: | |
| assignee: | nobody → Brian Tully (brian-tully) |
| importance: | Undecided → Low |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to horizon (master) | #11 |
| Changed in horizon: | |
| status: | New → In Progress |
| description: | updated |
| Changed in horizon: | |
| status: | In Progress → Fix Committed |
| Changed in horizon: | |
| milestone: | none → liberty-2 |
| status: | Fix Committed → Fix Released |
| Changed in horizon: | |
| milestone: | liberty-2 → 8.0.0 |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.