Improper Restriction of Rendered UI Layers or Frames in aces/loris

Valid

Reported on

Sep 24th 2021


Description

It is possible to perform a clickjacking attack due to the lack of frame restrictions such as X-Frame-Options: DENY

Proof of Concept

Tested :: https://demo.loris.ca/
https://drive.google.com/file/d/1oSi2JpYnPjjoL6QvhFnsHcTD94KMzKBj/view?usp=sharing

Impact

Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website

We have contacted a member of the aces/loris team and are waiting to hear back a year ago
0xdhinu modified the report
a year ago
Dave MacFarlane validated this vulnerability a year ago
0xdhinu has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dave MacFarlane marked this as fixed with commit 82b504 a year ago
Dave MacFarlane has been awarded the fix bounty
This vulnerability will not receive a CVE
Dave MacFarlane
a year ago

Maintainer


This should be fixed by https://github.com/aces/Loris/pull/7579 (CSP was used instead of X-Frame-Options, though it still needs to be pushed to demo.loris.ca)

to join this conversation