•  
      request #10223 Clickjacking protection can be bypassed on Internet Explorer or Edge
    Infos
    #10223
    Thomas Gerbet (tgerbet)
    2017-11-10 10:15
    2017-05-16 09:00
    10488
    Details
    Clickjacking protection can be bypassed on Internet Explorer or Edge

    A clickjacking attack can be achieved for users of Internet Explorer or Edge

    Impact

    An attacker could trick a user into doing some actions like clicking on a button or filling a form and route informations to another page.
    CVSSv3 score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

    Exploitation

    Clickjacking protection added in request #7785 can be bypassed for IE Edge users. This is due to the fact that IE/Edge does not support the CSP level 2 directive frame-ancestors and that Tuleap have multiple ways for an user to create a frame to untrusted pages (sidebar service, PHPWiki transclude plugin...).

    The only protection left for IE/Edge users is the X-Frame-Options header that Tuleap currently sets to SAMEORIGIN. It can be bypassed when arbitrary frames are created. Indeed, it does not prevent the inclusion when from origin A (Tuleap) an unstrusted content from origin B is included that itself includes a resource from origin A (and thus allowing the clickjacking attack).

    References

    CWE-693
    OWASP - Clickjacking
    Exploiting the unexploitable with lesser known browser tricks by @filedescriptor
    RFC7034 - HTTP Header Field X-Frame-Options

    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2017-06-12
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-06-12 10:13
    Fix is now available for review, goal is to have the fix available in the Tuleap 9.9 release.

    • Status changed from Waiting for information to Under review
    User avatar
    Thomas Gerbet (tgerbet)2017-05-16 13:36
    A patch to solve the issue is available: gerrit #8396.

    However since the fix can break usages (not possible to frame a Tuleap page at all with it) I'm waiting for feedback of users before requesting the integration. Without these feedback, the fix will be requested for integration for the Tuleap 9.9 release cycle.

    • Status changed from Verified to Waiting for information