Vulnerable to user-interface redressing (e.g. clickjacking)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Fix Released
|
High
|
Julian Edwards | ||
1.5 |
Fix Released
|
High
|
Julian Edwards | ||
maas (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Test Case]
Without the fix:
1. Install MAAS.
2. Create web page on other domain that loads MAAS in an IFRAME.
3. MAAS loads and is usable.
With the fix:
3. MAAS should not display, or should break out of the IFRAME.
Impact:
A remote attacker could trick users into performing unintended actions
within the application.
Commentary:
The MAAS application has no protection against user-interface
redressing attacks like clickjacking. By displaying the application in
carefully constructed iframes on an unrelated domain, an attacker may
be able to deceive users into performing one or two-click actions in
the context of the application, such as deploying a charm. The impact
of a successful clickjacking attack is similar to that of cross-site
request forgery. See http://
worked demonstration of a clickjacking attack.
Exploitability:
An attacker can only create exploits for forms that he would be able
to view, as he would need to know the URL and positioning of the
target forms. The attacker would also have to persuade a logged- in
user to visit and click once or twice on the page under his control.
A well-executed clickjacking attack is likely to go unnoticed by its
victims.
Remediation:
The application should instruct browsers not to allow other websites
to load it in a frame, by adding the X-Frame-Options: SAMEORIGIN
server header.
Related branches
- Jeroen T. Vermeulen (community): Approve
-
Diff: 11 lines (+1/-0)1 file modifiedsrc/maas/settings.py (+1/-0)
- Julian Edwards (community): Approve
-
Diff: 11 lines (+1/-0)1 file modifiedsrc/maas/settings.py (+1/-0)
tags: | added: trivial |
information type: | Private Security → Public Security |
Changed in maas: | |
assignee: | nobody → Julian Edwards (julian-edwards) |
status: | Triaged → In Progress |
Changed in maas: | |
status: | In Progress → Fix Committed |
description: | updated |
Changed in maas: | |
status: | Fix Committed → Fix Released |
Changed in maas (Ubuntu): | |
status: | New → Fix Released |
tags: |
added: verification-done removed: verification-needed |
Fixing this bug should be as simple as enabling a middleware; see https:/ /docs.djangopro ject.com/ en/dev/ ref/clickjackin g/.