Improper Restriction of Rendered UI Layers or Frames in zoujingli/thinkadmin

Valid

Reported on

Aug 25th 2021

✍️ Description

It can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY.

🕵️‍♂️ Proof of Concept

Clickjacking

💥 Impact

According to PortSwigger references, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery and may result in unauthorized actions.

References

Clickjacking (UI redressing)

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back 2 years ago

邹景立 validated this vulnerability 2 years ago

Melbin Mathew Antony has been awarded the disclosure bounty

The fix bounty is now up for grabs

邹景立

commented 2 years ago

Maintainer

https://github.com/zoujingli/ThinkLibrary/blob/v6.0/src/Library.php#L115

X-FRAME-OPTIONS has been configured as sameorigin by default.

邹景立 marked this as fixed with commit 4b627c 2 years ago

邹景立 has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation