Improper Restriction of Rendered UI Layers or Frames in admidio/admidio
Oct 16th 2021
# Description it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. # Proof of Concept <html> <head> <title>Clickjack test page</title> </head> <body> <iframe src="https://www.admidio.org/demo_en/adm_program/system/login.php" width="500" height="500"></iframe> </body> </html> save the script as clickjacking .html and page will render in iframes # Impact it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker configure X-FRAME-OPTIONS as same origin by default.