clickjacking attack in notrinos/notrinoserp

Valid

Reported on

Aug 21st 2022

Description

clickjacking bug.
I see there is no x-frame-options header set . So, the erp url can be loaded in iframe tag . which allow clickjacking attack

Proof of Concept

same this bellow code in html file and open this html url is browser .

<iframe src="http://localhost/notrinoserp/index.php?application=system"></iframe>

STUDY METERIAL

https://www.imperva.com/learn/application-security/clickjacking/
https://owasp.org/www-community/attacks/Clickjacking
https://portswigger.net/web-security/clickjacking
similar report https://www.huntr.dev/bounties/33e7fe0f-b3a0-4723-a8f9-de79d86b345d/

Impact

clickjacking attack

We are processing your report and will contact the notrinos/notrinoserp team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the notrinos/notrinoserp team and are waiting to hear back a year ago
Phương gave praise a year ago
Thanks @ranjit-git for detecting this vulnerability, it will be fixed soon.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Phương validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Phương marked this as fixed in 0.7 with commit c2ff3d a year ago
Phương has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation