Improper Restriction of Rendered UI Layers or Frames in fisharebest/webtrees


Reported on

Oct 13th 2021


In fix commit, the fix was to set CSP to script-src in HTML files to none. Webtrees by default has X-Frame-Options headers to prevent clickjacking, but since X-Frame-Options: SAMEORIGIN, it is possible to perform a clickjacking attack because IFrames are not being restricted in HTML files.

Proof of Concept

Upload the following HTML file

        <iframe src="" width="500" height="500"></iframe>

See that the website can be iframed


This vulnerability is capable of tricking the admin user to click on unwanted buttons via use of malicious iframes.

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back a year ago
haxatron modified the report
a year ago
a year ago


Recommended Fix would be to set iframe-src in the CSP header to none

Greg Roach validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach
a year ago


Thanks for the tip regarding the fix.

a year ago


frame-src sorry -

Greg Roach marked this as fixed with commit 834071 a year ago
Greg Roach has been awarded the fix bounty
This vulnerability will not receive a CVE
ImageFactory.php#L350 has been validated
a year ago


Just for the record that this bug is a follow-up to this report, where the reporter reported about the ability to upload HTML files with script tags. My report is about the ability to upload HTML files with iframe tags, bypassing the X-Frame-Options header

Adam Nygate
a year ago


Hi all, we've adjusted the CWE back to "Improper Restriction of Rendered UI Layers or Frames" and will be manually adjusting the bounty for this report.

to join this conversation