2014-03-28 05:44:01 |
Julian Edwards |
bug |
|
|
added bug |
2014-03-28 05:44:22 |
Julian Edwards |
tags |
netcraft |
netcraft trivial |
|
2014-05-01 06:11:00 |
Julian Edwards |
information type |
Private Security |
Public Security |
|
2014-05-01 06:46:15 |
Julian Edwards |
maas: assignee |
|
Julian Edwards (julian-edwards) |
|
2014-05-01 06:46:18 |
Julian Edwards |
maas: status |
Triaged |
In Progress |
|
2014-05-05 06:43:09 |
MAAS Lander |
maas: status |
In Progress |
Fix Committed |
|
2014-05-05 07:45:46 |
Launchpad Janitor |
branch linked |
|
lp:~julian-edwards/maas/1.5-clickjacking |
|
2014-05-05 07:46:48 |
Julian Edwards |
nominated for series |
|
maas/1.5 |
|
2014-05-05 07:46:48 |
Julian Edwards |
bug task added |
|
maas/1.5 |
|
2014-05-05 07:47:01 |
Julian Edwards |
maas/1.5: status |
New |
In Progress |
|
2014-05-05 07:47:04 |
Julian Edwards |
maas/1.5: assignee |
|
Julian Edwards (julian-edwards) |
|
2014-05-05 07:47:06 |
Julian Edwards |
maas/1.5: importance |
Undecided |
High |
|
2014-05-05 07:55:18 |
MAAS Lander |
maas/1.5: status |
In Progress |
Fix Committed |
|
2014-05-08 06:24:11 |
Julian Edwards |
maas/1.5: milestone |
|
1.5.1 |
|
2014-05-08 17:08:09 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/utopic/maas/utopic-proposed |
|
2014-05-08 18:43:15 |
Andres Rodriguez |
bug task added |
|
maas (Ubuntu) |
|
2014-05-08 20:02:23 |
Gavin Panella |
description |
= Impact =
A remote attacker could trick users into performing unintended actions within the application.
= Details =
The MAAS application has no protection against user-interface redressing attacks like clickjacking. By
displaying the application in carefully constructed iframes on an unrelated domain, an attacker may
be able to deceive users into performing one or two-click actions in the context of the application,
such as deploying a charm. The impact of a successful clickjacking attack is similar to that of cross-site
request forgery.
See http://www.sectheory.com/clickjacking.htm for a worked demonstration of a clickjacking attack.
= Exploitability =
An attacker can only create exploits for forms that he would be able to view, as he would need to
know the URL and positioning of the target forms. The attacker would also have to persuade a logged-
in user to visit and click once or twice on the page under his control.
A well-executed clickjacking attack is likely to go unnoticed by its victims.
= Remediation =
The application should instruct browsers not to allow other websites to load it in a frame, by adding
the X-Frame-Options: SAMEORIGIN server header. |
[Test Case]
Without the fix:
1. Install MAAS.
2. Create web page on other domain that loads MAAS in an IFRAME.
3. MAAS loads and is usable.
With the fix:
3. MAAS should not display, or should break out of the IFRAME.
Impact:
A remote attacker could trick users into performing unintended actions
within the application.
Commentary:
The MAAS application has no protection against user-interface
redressing attacks like clickjacking. By displaying the application in
carefully constructed iframes on an unrelated domain, an attacker may
be able to deceive users into performing one or two-click actions in
the context of the application, such as deploying a charm. The impact
of a successful clickjacking attack is similar to that of cross-site
request forgery. See http://www.sectheory.com/clickjacking.htm for a
worked demonstration of a clickjacking attack.
Exploitability:
An attacker can only create exploits for forms that he would be able
to view, as he would need to know the URL and positioning of the
target forms. The attacker would also have to persuade a logged- in
user to visit and click once or twice on the page under his control.
A well-executed clickjacking attack is likely to go unnoticed by its
victims.
Remediation:
The application should instruct browsers not to allow other websites
to load it in a frame, by adding the X-Frame-Options: SAMEORIGIN
server header. |
|
2014-05-09 02:50:00 |
Julian Edwards |
maas/1.5: status |
Fix Committed |
Fix Released |
|
2014-05-09 02:50:03 |
Julian Edwards |
maas: status |
Fix Committed |
Fix Released |
|
2014-05-09 20:01:24 |
Chris J Arges |
nominated for series |
|
Ubuntu Trusty |
|
2014-05-09 20:01:24 |
Chris J Arges |
bug task added |
|
maas (Ubuntu Trusty) |
|
2014-05-09 20:01:41 |
Chris J Arges |
maas (Ubuntu): status |
New |
Fix Released |
|
2014-05-11 03:19:10 |
Chris J Arges |
maas (Ubuntu Trusty): status |
New |
Fix Committed |
|
2014-05-11 03:19:14 |
Chris J Arges |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2014-05-11 03:19:18 |
Chris J Arges |
bug |
|
|
added subscriber SRU Verification |
2014-05-11 03:19:27 |
Chris J Arges |
tags |
netcraft trivial |
netcraft trivial verification-needed |
|
2014-05-11 03:41:39 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-proposed/maas |
|
2014-05-21 19:42:45 |
Andres Rodriguez |
tags |
netcraft trivial verification-needed |
netcraft trivial verification-done |
|
2014-05-21 20:43:08 |
Launchpad Janitor |
maas (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2014-05-21 20:43:37 |
Chris J Arges |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|