Vulnerability Report [X-frame By-Pass]

4cloud · October 17, 2022, 2:16pm

Running Version: 9.1.2 PHP 7.4

I received this email, is it something to be concerned about?

Actual URL replaced by website.

Hello Team,
I have found a bug in your website

The details of it are as follows:-
Summary:

X-Frame-Options ALLOW-FROM website/login not supported by
several Browser,
Steps To Reproduce:

Create a new HTML file
Put <iframe src="website/login frameborder=“0”>
Save the file
Open document in browser

Impact:

Attacker may tricked user, sending them malicious link then user open it
clicked some image and their account unconsciously has been deactivated
Solution:

The vulnerability can be fixed by adding “frame-ancestors ‘self’;” to the
CSP (Content-Security-Policy) header.

PoC:

X-Frame-Bypass Web Component Demo html, body { margin: 0; padding: 0; height: 100%; overflow: hidden; } iframe { display: block; width: calc(70% - 40px); height: calc(80% - 40px); margin: 20px; } img { position: absolute; top: 0; right: 0; }

x-frame-bypass in your site

"

FIX:
Content-Security-Policy: frame-ancestors ‘self’ is better, because it
checks all frame ancestors. You should implement a CSP header to avoid
these sorts of attacks. Please let me know if you want more information. I
hope that you appreciate my ethical disclosure of this vulnerability,
expecting a reward as a token of appreciation for this…
Thank you!

Steevb · October 17, 2022, 2:55pm

Have you tried the add-on: HTTP Headers - Concrete CMS

mesuva · October 17, 2022, 8:18pm

This just reads as spam to me, it’s pretty generic.

4cloud · October 18, 2022, 4:13pm

I agree, and have blocked the sender. Just wanted to make sure this was not an actual threat.

I wish there was a way to restrict access to the login page to specific IP’s.
We only use the login for administration of the site, there is no reason to have the link available to everyone.

mesuva · October 18, 2022, 10:34pm

Concrete does have the ability to do this:

it’s slightly different between v8 and v9, but the concept is the same. In V8 you go to /index.php/dashboard/system/permissions/blacklist/configure, and in V9 /index.php/dashboard/system/permissions/denylist/configure/1
then from the dropdown to the top right, you select **Whitelisted/Allowlisted IP addresses **
you then add your IP address to the allow list.
then you use the dropdown again and go to the Blacklisted/Allowlisted IP address (manual) section, you add ::/0 and *.*.*.*

That should prevent everyone except the allowed IP addresses from logging in.
It doesn’t fully block the login page, but authentication will check the IP address as part of the login process.

If you lock yourself out, the IpAccessControlRanges database table can be edited.