Improper Restriction of Rendered UI Layers or Frames in fisharebest/webtrees


Reported on

Oct 13th 2021


In fix commit, the fix was to set CSP to script-src in HTML files to none. Webtrees by default has X-Frame-Options headers to prevent clickjacking, but since X-Frame-Options: SAMEORIGIN, it is possible to perform a clickjacking attack because IFrames are not being restricted in HTML files.

Proof of Concept

Upload the following HTML file

        <iframe src="" width="500" height="500"></iframe>

See that the website can be iframed


This vulnerability is capable of tricking the admin user to click on unwanted buttons via use of malicious iframes.

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back 2 years ago
haxatron modified the report
2 years ago
2 years ago


Recommended Fix would be to set iframe-src in the CSP header to none

Greg Roach validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach
2 years ago


Thanks for the tip regarding the fix.

2 years ago


frame-src sorry -

Greg Roach marked this as fixed with commit 834071 2 years ago
Greg Roach has been awarded the fix bounty
ImageFactory.php#L350 has been validated
2 years ago


Just for the record that this bug is a follow-up to this report, where the reporter reported about the ability to upload HTML files with script tags. My report is about the ability to upload HTML files with iframe tags, bypassing the X-Frame-Options header

Adam Nygate
2 years ago


Hi all, we've adjusted the CWE back to "Improper Restriction of Rendered UI Layers or Frames" and will be manually adjusting the bounty for this report.

to join this conversation