Improper Restriction of Rendered UI Layers or Frames in fisharebest/webtrees

Valid

Reported on

Oct 13th 2021


Description

In fix commit https://github.com/fisharebest/webtrees/commit/fc904122e0c1b55f274bc4c8cd883c266176e34e, the fix was to set CSP to script-src in HTML files to none. Webtrees by default has X-Frame-Options headers to prevent clickjacking, but since X-Frame-Options: SAMEORIGIN, it is possible to perform a clickjacking attack because IFrames are not being restricted in HTML files.

Proof of Concept

Upload the following HTML file

<html>
    <head>
        <title>huntr.dev</title>
    </head>
    <body>
        <iframe src="https://dev.webtrees.net/demo-dev/" width="500" height="500"></iframe>
    </body>
</html>

See that the website can be iframed

Impact

This vulnerability is capable of tricking the admin user to click on unwanted buttons via use of malicious iframes.

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back 2 months ago
haxatron modified their report
2 months ago
haxatron
2 months ago

Researcher


Recommended Fix would be to set iframe-src in the CSP header to none

Greg Roach validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach
2 months ago

Maintainer


Thanks for the tip regarding the fix.

haxatron
2 months ago

Researcher


frame-src sorry - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src

Greg Roach confirmed that a fix has been merged on 834071 2 months ago
Greg Roach has been awarded the fix bounty
ImageFactory.php#L350 has been validated
haxatron
2 months ago

Researcher


Just for the record that this bug is a follow-up to this report https://huntr.dev/bounties/ff3c3869-27df-4dc6-9663-34013a71b76c/, where the reporter reported about the ability to upload HTML files with script tags. My report is about the ability to upload HTML files with iframe tags, bypassing the X-Frame-Options header

Adam Nygate
2 months ago

Admin


Hi all, we've adjusted the CWE back to "Improper Restriction of Rendered UI Layers or Frames" and will be manually adjusting the bounty for this report.