Vulnerability Report [X-frame By-Pass]

Running Version: 9.1.2 PHP 7.4

I received this email, is it something to be concerned about?

Actual URL replaced by website.

Hello Team,
I have found a bug in your website

The details of it are as follows:-

X-Frame-Options ALLOW-FROM website/login not supported by
several Browser,
Steps To Reproduce:

  1. Create a new HTML file
  2. Put <iframe src="website/login frameborder=“0”>
  3. Save the file
  4. Open document in browser


Attacker may tricked user, sending them malicious link then user open it
clicked some image and their account unconsciously has been deactivated

The vulnerability can be fixed by adding “frame-ancestors ‘self’;” to the
CSP (Content-Security-Policy) header.


X-Frame-Bypass Web Component Demo html, body { margin: 0; padding: 0; height: 100%; overflow: hidden; } iframe { display: block; width: calc(70% - 40px); height: calc(80% - 40px); margin: 20px; } img { position: absolute; top: 0; right: 0; }

x-frame-bypass in your site


Content-Security-Policy: frame-ancestors ‘self’ is better, because it
checks all frame ancestors. You should implement a CSP header to avoid
these sorts of attacks. Please let me know if you want more information. I
hope that you appreciate my ethical disclosure of this vulnerability,
expecting a reward as a token of appreciation for this…
Thank you!

Have you tried the add-on: HTTP Headers - Concrete CMS

This just reads as spam to me, it’s pretty generic.

I agree, and have blocked the sender. Just wanted to make sure this was not an actual threat.

I wish there was a way to restrict access to the login page to specific IP’s.
We only use the login for administration of the site, there is no reason to have the link available to everyone.

Concrete does have the ability to do this:

That should prevent everyone except the allowed IP addresses from logging in.
It doesn’t fully block the login page, but authentication will check the IP address as part of the login process.

If you lock yourself out, the IpAccessControlRanges database table can be edited.