Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #7785 Vulnerable to clickjacking attack
    Actions
    Infos
    #7785
    Thomas Gerbet (tgerbet)
    2015-03-04 16:22
    2015-01-21 14:55
    7786
    Details
    Vulnerable to clickjacking attack

    Tuleap is vulnerable to clickjacking attack (aka UI redress attack).

    Impact

    An attacker could trick an user into doing some actions like clicking on a button or filling a form and route informations to another page.
    CVSS2 score : 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

    Exploitation

    A proof of concept is attached. Put the URL you want to test instead of TULEAP_URL.

    References

    https://www.owasp.org/index.php/Clickjacking
    http://seclab.stanford.edu/websec/framebusting/framebust.pdf

    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2015-01-22
    Attachments
    Artifact links
    Empty
    By Thomas Gerbet (tgerbet)
    (260 B)
    poc_clickjacking.html
    Proof of concept clickjacking
    References
    Referencing request #7785

    Artifact Tracker v5

    rel #7520 7.10
    request #10223 Clickjacking protection can be bypassed on Internet Explorer or Edge

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/06/3506/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 48251a65f3
    User avatar Yannis ROSSETTO (rossettoy) , 2015-01-22 13:26
    request #7785: Protection against clickjacking 3ad36b6e38
    User avatar Thomas Gerbet (tgerbet) , 2015-01-22 11:52
    request #7785: Protection against clickjacking e2d6c66a04
    User avatar Thomas Gerbet (tgerbet) , 2015-01-26 11:12

    tuleap/u/vaceletm/tuleap/dev

    Merge commit 'refs/changes/06/3506/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 48251a65f3
    User avatar Yannis ROSSETTO (rossettoy) , 2015-01-22 13:26
    request #7785: Protection against clickjacking 3ad36b6e38
    User avatar Thomas Gerbet (tgerbet) , 2015-01-22 11:52
    request #7785: Protection against clickjacking e2d6c66a04
    User avatar Thomas Gerbet (tgerbet) , 2015-01-26 11:12

    Release

    release #100
    Display settings

    Follow-ups

    User avatar
    Yannis ROSSETTO (rossettoy)2015-01-22 13:27
    Merged in Tuleap 7.9.99.54
    • Status changed from Under implementation to Closed
    • Close date set to 2015-01-22