request #10223 Clickjacking protection can be bypassed on Internet Explorer or Edge

Artifact

Infos

Artifact ID#10223

Submitted byThomas Gerbet (tgerbet)

Last Modified On2017-11-10 10:15

Submitted on2017-05-16 09:00

Rank10488

Details

Summary *

Clickjacking protection can be bypassed on Internet Explorer or Edge

Original Submission

A clickjacking attack can be achieved for users of Internet Explorer or Edge

Impact

An attacker could trick a user into doing some actions like clicking on a button or filling a form and route informations to another page.
CVSSv3 score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Exploitation

Clickjacking protection added in request #7785 can be bypassed for IE Edge users. This is due to the fact that IE/Edge does not support the CSP level 2 directive frame-ancestors and that Tuleap have multiple ways for an user to create a frame to untrusted pages (sidebar service, PHPWiki transclude plugin...).

The only protection left for IE/Edge users is the X-Frame-Options header that Tuleap currently sets to SAMEORIGIN. It can be bypassed when arbitrary frames are created. Indeed, it does not prevent the inclusion when from origin A (Tuleap) an unstrusted content from origin B is included that itself includes a resource from origin A (and thus allowing the clickjacking attack).

References

CWE-693
OWASP - Clickjacking
Exploiting the unexploitable with lesser known browser tricks by @filedescriptor
RFC7034 - HTTP Header Field X-Frame-Options

CategoryOther

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toEmpty

StatusClosed

Close date2017-06-12

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #10117	Tuleap	Releases	9.9	Delivered	2017-06-22 18:34	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #10223

Artifact Tracker v5

request #10812 Remove unusable web MUC

Git commit

tuleap/tuleap/stable

Merge commit 'refs/changes/96/8396/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 7a22c3b7ff

Nicolas Terray (nterray) , 2017-06-12 17:54

request #10223: Prevent bypass of the clickjacking protection for Internet Explorer and Edge users 683ef92174

Thomas Gerbet (tgerbet) , 2017-05-16 13:32

Show items referenced by request #10223

Referenced by request #10223

Artifact Tracker v5

request #7785 Vulnerable to clickjacking attack

rel #10117 9.9

Other

gerrit #8396

Follow-ups

Thomas Gerbet (tgerbet)

2017-11-10 10:15

Public disclosure.

Nicolas Terray (nterray)

2017-06-12 17:56

gerrit #8396 integrated into Tuleap 9.8.99.123

Status changed from Under review to Closed
Connected artifacts
- Added Fixed in: rel #10117
Close date set to 2017-06-12

Thomas Gerbet (tgerbet)

2017-06-12 10:13

Fix is now available for review, goal is to have the fix available in the Tuleap 9.9 release.

Status changed from Waiting for information to Under review

Thomas Gerbet (tgerbet)

2017-05-16 13:36

A patch to solve the issue is available: gerrit #8396.

However since the fix can break usages (not possible to frame a Tuleap page at all with it) I'm waiting for feedback of users before requesting the integration. Without these feedback, the fix will be requested for integration for the Tuleap 9.9 release cycle.

Status changed from Verified to Waiting for information