Running Version: 9.1.2 PHP 7.4
I received this email, is it something to be concerned about?
Actual URL replaced by website.
Hello Team,
I have found a bug in your website
The details of it are as follows:-
Summary:
X-Frame-Options ALLOW-FROM website/login not supported by
several Browser,
Steps To Reproduce:
- Create a new HTML file
- Put <iframe src="website/login frameborder=“0”>
- Save the file
- Open document in browser
Impact:
Attacker may tricked user, sending them malicious link then user open it
clicked some image and their account unconsciously has been deactivated
Solution:
The vulnerability can be fixed by adding “frame-ancestors ‘self’;” to the
CSP (Content-Security-Policy) header.
PoC:
X-Frame-Bypass Web Component Demo html, body { margin: 0; padding: 0; height: 100%; overflow: hidden; } iframe { display: block; width: calc(70% - 40px); height: calc(80% - 40px); margin: 20px; } img { position: absolute; top: 0; right: 0; }x-frame-bypass in your site
"FIX:
Content-Security-Policy: frame-ancestors ‘self’ is better, because it
checks all frame ancestors. You should implement a CSP header to avoid
these sorts of attacks. Please let me know if you want more information. I
hope that you appreciate my ethical disclosure of this vulnerability,
expecting a reward as a token of appreciation for this…
Thank you!