pete2007 Posted December 20, 2020 Share Posted December 20, 2020 V2.3.4 Hello, I've just received an email to say that there is a clickjacking vulnerability for the account_password.php page. Is this something I should be worried about and if so what action can I take? Thank you in advance. Link to comment Share on other sites More sharing options...
burt Posted December 20, 2020 Share Posted December 20, 2020 You might post the content of the email ? Link to comment Share on other sites More sharing options...
pete2007 Posted December 20, 2020 Author Share Posted December 20, 2020 Hi Burt, thank you for your reply, here is the email: Quote Hello, SiR / Madam, Security Support Team My Name Is ______ From India. I Am Security Researcher's. I Am Found Clickjacking Vulnerability , Your website deals with security issues. What is Click Jacking Vulnerability ? 1.Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. 2.The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. Server-side methods – the most common is X-Frame-Options. Server-side methods are recommended by security experts as an effective way to defend against clickjacking. This vulnerability affects Web Server. The Vulnerable Domain Is :- www.mysite.com/account_password.php Step to Reproduce :- 1 :- I have given Expolit as follows. 2 :- Copy it to a Notepad copy and Past it Save as .html file 3 :- And double-click that file and open a new tab on the browser Expolit :- <html> <head> <title>Clickjack test page</title> </head> <body> <p><font size="5" color="#bf0000"> Website is vulnerable to clickjacking! 500x500</font></p> <iframe src="https://www.mysite.com/account_password.php" width="500" height="500"></iframe> </body> </html> Impact:By using Clickjacking technique, an attacker hijack's click's meant for one page and route them to another page, most likely for another application, domain, or both. REFERENCE Suggestions : https://owasp.org/www-community/attacks/Clickjacking *# Everything is shown in the POC in a quick way ... Best Regards, Link to comment Share on other sites More sharing options...
burt Posted December 20, 2020 Share Posted December 20, 2020 https://htaccessbook.com/increase-security-x-security-headers/ Gives more reading for you (or your host). In my opinion, typical fake email designed to make people worry. Link to comment Share on other sites More sharing options...
pete2007 Posted December 20, 2020 Author Share Posted December 20, 2020 1 minute ago, burt said: https://htaccessbook.com/increase-security-x-security-headers/ Gives more reading for you (or your host). In my opinion, typical fake email designed to make people worry. Thank you Burt, your advice is most appreciated as always. Link to comment Share on other sites More sharing options...
René H4 Posted December 21, 2020 Share Posted December 21, 2020 18 hours ago, burt said: https://htaccessbook.com/increase-security-x-security-headers/ Gives more reading for you (or your host). In my opinion, typical fake email designed to make people worry. Interesting! Wouldn't it be wise to add this into the core? Or strongly recommended after installation? Link to comment Share on other sites More sharing options...
burt Posted December 21, 2020 Share Posted December 21, 2020 It's not my area of expertise. You'd need to get independent advice. Link to comment Share on other sites More sharing options...
Jack_mcs Posted December 21, 2020 Share Posted December 21, 2020 29 minutes ago, René H4 said: Interesting! Wouldn't it be wise to add this into the core? Or strongly recommended after installation? The code that clickjacking uses is also used for legitimate reasons by some sites, like showing youtube videos. So making it core would not be a good idea. There is an option to allow certain domains through but some have reported a response slow-down using it. Also, this vulnerability has been around for many years, at least 10. It can only be used if a site has been hacked since the hackers code has to be on the server. So the likelihood of it happening to a properly set up shop is probably negligible. But if you don't need to use iframes in your shop and think the protection is warranted, the blocking code can be added. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.