Improper Restriction of Rendered UI Layers or Frames in flatcore/flatcore-cms

Valid

Reported on

Oct 11th 2021

Description

Attackers can trick admin users into performing actions because there is no X-Frame-Options: DENY header set by the application.

This header is important because it prevents other websites from Iframing the website. If the website can be iframed, then the attacker can host a malicious iframe on their site and trick the user into deletion of data.. etc)

Proof of Concept

<iframe src="http://[FLATCORE-IP]/flatCore-CMS/acp/acp.php?tn=posts">

Impact

This vulnerability is capable of tricking the admin user into deletion of data.

Recommended Fix

Add the X-Frame-Options: DENY header.

References

https://owasp.org/www-community/attacks/Clickjacking

Patrick

commented 2 years ago

Maintainer

@haxatron it is secure enough to use X-Frame-Options: SAMEORIGIN If I use DENY, the preview (in the backend) no longer works.

haxatron

commented 2 years ago

Researcher

yes that works too!

Patrick validated this vulnerability 2 years ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

Patrick

commented 2 years ago

Maintainer

Thank you!

Patrick marked this as fixed with commit e1496f 2 years ago

Patrick has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

Patrick

commented 2 years ago

Maintainer

@haxatron it is secure enough to use X-Frame-Options: SAMEORIGIN If I use DENY, the preview (in the backend) no longer works.

haxatron

commented 2 years ago

Researcher

yes that works too!

Patrick validated this vulnerability 2 years ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

Patrick

commented 2 years ago

Maintainer

Thank you!

Patrick marked this as fixed with commit e1496f 2 years ago

Patrick has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation