Improper Restriction of Rendered UI Layers or Frames in admidio/admidio

Valid

Reported on

Oct 16th 2021

# Description
it can be possible to perform a clickjacking attack due to the lack of frame restrictions. 
The application does not set the response header X-Frame-Options: DENY.

 # Proof of Concept

<html>
    <head>
        <title>Clickjack test page</title>
    </head>
    <body>
        <iframe src="https://www.admidio.org/demo_en/adm_program/system/login.php" width="500" height="500"></iframe>
    </body>
</html>

save the script as clickjacking .html and page will render in iframes

# Impact
 it is possible for a page controlled by an attacker to load the website within an iframe. 
This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker

configure X-FRAME-OPTIONS  as same origin by default.

References

https://portswigger.net/web-security/clickjacking

We have contacted a member of the admidio team and are waiting to hear back 2 years ago

Markus Faßbender validated this vulnerability 2 years ago

@0xAmal has been awarded the disclosure bounty

The fix bounty is now up for grabs

Markus Faßbender marked this as fixed with commit 2f4520 2 years ago

Markus Faßbender has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation