Improper Restriction of Rendered UI Layers or Frames in aces/loris

Valid

Reported on

Sep 24th 2021


Description

It is possible to perform a clickjacking attack due to the lack of frame restrictions such as X-Frame-Options: DENY

Proof of Concept

Tested :: https://demo.loris.ca/
https://drive.google.com/file/d/1oSi2JpYnPjjoL6QvhFnsHcTD94KMzKBj/view?usp=sharing

Impact

Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website

We have contacted a member of the aces/loris team and are waiting to hear back 2 months ago
We have contacted a member of the aces/loris team and are waiting to hear back 2 months ago
0xdhinu modified their report
2 months ago
Dave MacFarlane validated this vulnerability 2 months ago
0xdhinu has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dave MacFarlane confirmed that a fix has been merged on 82b504 2 months ago
Dave MacFarlane has been awarded the fix bounty
Dave MacFarlane
2 months ago

Maintainer


This should be fixed by https://github.com/aces/Loris/pull/7579 (CSP was used instead of X-Frame-Options, though it still needs to be pushed to demo.loris.ca)