Improper Restriction of Rendered UI Layers or Frames in craigk5n/webcalendar

Valid

Reported on

Oct 6th 2021 

# Description
it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY.

 # Proof of Concept

<html>
    <head>
        <title>Clickjack test page</title>
    </head>
    <body>
        <iframe src="http://webcalendar.sourceforge.net/demo/login.php?" width="500" height="500"></iframe>
    </body>
</html>

save the script as clickjacking .html and page will render in iframes

https://i.ibb.co/1frhL8B/Screenshot-2021-10-06-113306.png
 it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker

configure X-FRAME-OPTIONS  as same origin by default.
We have contacted a member of the craigk5n/webcalendar team and are waiting to hear back 2 years ago
Craig Knudsen
2 years ago

Maintainer

Fix is in commit 6a3b8ea09459b5135bd0209c6e9cf0e389aaaf54 in bootstrap_ui branch

Craig Knudsen validated this vulnerability 2 years ago
0xad3l has been awarded the disclosure bounty
The fix bounty is now up for grabs
Craig Knudsen
a year ago

Maintainer

The fix for this is now included in the WebCalendar v1.9.0 release.

Craig Knudsen marked this as fixed in v1.9.0 with commit 6a3b8e a year ago
Craig Knudsen has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation