Improper Restriction of Rendered UI Layers or Frames in fisharebest/webtrees


Reported on

Oct 13th 2021


In fix commit, the fix was to set CSP to script-src in HTML files to none. Webtrees by default has X-Frame-Options headers to prevent clickjacking, but since X-Frame-Options: SAMEORIGIN, it is possible to perform a clickjacking attack because IFrames are not being restricted in HTML files.

Proof of Concept

Upload the following HTML file

        <iframe src="" width="500" height="500"></iframe>

See that the website can be iframed


This vulnerability is capable of tricking the admin user to click on unwanted buttons via use of malicious iframes.

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back 2 months ago
haxatron modified their report
2 months ago
2 months ago


Recommended Fix would be to set iframe-src in the CSP header to none

Greg Roach validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach
2 months ago


Thanks for the tip regarding the fix.

2 months ago


frame-src sorry -

Greg Roach confirmed that a fix has been merged on 834071 2 months ago
Greg Roach has been awarded the fix bounty
ImageFactory.php#L350 has been validated
2 months ago


Just for the record that this bug is a follow-up to this report, where the reporter reported about the ability to upload HTML files with script tags. My report is about the ability to upload HTML files with iframe tags, bypassing the X-Frame-Options header

Adam Nygate
2 months ago


Hi all, we've adjusted the CWE back to "Improper Restriction of Rendered UI Layers or Frames" and will be manually adjusting the bounty for this report.