Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Clickjacking Vulnerability?


pete2007

Recommended Posts

V2.3.4

Hello,

I've just received an email to say that there is a clickjacking vulnerability for the account_password.php page.

Is this something I should be worried about and if so what action can I take?

Thank you in advance.

Link to comment
Share on other sites

Hi Burt, thank you for your reply, here is the email:

 

Quote
Hello,
SiR / Madam,
Security Support Team
My Name Is ______  From India. I Am Security Researcher's.
I Am Found  Clickjacking Vulnerability ,
Your website deals with security issues.
 
What is Click Jacking Vulnerability ?

1.Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

2.The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
 
Server-side methods – the most common is X-Frame-Options. Server-side methods are recommended by security experts as an effective way to defend against clickjacking.
 

This vulnerability affects Web Server.
The Vulnerable Domain Is :-
www.mysite.com/account_password.php

 
Step to Reproduce :-
1 :- I have given Expolit as follows.
2 :- Copy it to a Notepad copy and Past it Save as .html file
3 :- And double-click that file and open a new tab on the browser
 
Expolit :-
 
<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p><font size="5" color="#bf0000"> Website is vulnerable to clickjacking! 500x500</font></p>
<iframe src="https://www.mysite.com/account_password.php" width="500"
height="500"></iframe>
</body>
</html>
 
Impact:
By using Clickjacking technique, an attacker hijack's click's
meant for one page and route them to another page, most likely
for another application, domain, or both.
 
*# Everything is shown in the POC in a quick way   ...
 

Best Regards,

 

Link to comment
Share on other sites

29 minutes ago, René H4 said:

Interesting! Wouldn't it be wise to add this into the core? Or strongly recommended after installation?

The code that clickjacking uses is also used for legitimate reasons by some sites, like showing youtube videos. So making it core would not be a good idea. There is an option to allow certain domains through but some have reported a response slow-down using it. 

Also, this vulnerability has been around for many years, at least 10. It can only be used if a site has been hacked since the hackers code has to be on the server. So the likelihood of it happening to a properly set up shop is probably negligible. But if you don't need to use iframes in your shop and think the protection is warranted, the blocking code can be added.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...