Improper Restriction of Rendered UI Layers or Frames in fisharebest/webtrees

Valid

Reported on

Oct 13th 2021


Description

In fix commit https://github.com/fisharebest/webtrees/commit/fc904122e0c1b55f274bc4c8cd883c266176e34e, the fix was to set CSP to script-src in HTML files to none. Webtrees by default has X-Frame-Options headers to prevent clickjacking, but since X-Frame-Options: SAMEORIGIN, it is possible to perform a clickjacking attack because IFrames are not being restricted in HTML files.

Proof of Concept

Upload the following HTML file

<html>
    <head>
        <title>huntr.dev</title>
    </head>
    <body>
        <iframe src="https://dev.webtrees.net/demo-dev/" width="500" height="500"></iframe>
    </body>
</html>

See that the website can be iframed

Impact

This vulnerability is capable of tricking the admin user to click on unwanted buttons via use of malicious iframes.

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back a year ago
haxatron modified the report
a year ago
haxatron
a year ago

Researcher


Recommended Fix would be to set iframe-src in the CSP header to none

Greg Roach validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach
a year ago

Maintainer


Thanks for the tip regarding the fix.

haxatron
a year ago

Researcher


frame-src sorry - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src

Greg Roach marked this as fixed with commit 834071 a year ago
Greg Roach has been awarded the fix bounty
This vulnerability will not receive a CVE
ImageFactory.php#L350 has been validated
haxatron
a year ago

Researcher


Just for the record that this bug is a follow-up to this report https://huntr.dev/bounties/ff3c3869-27df-4dc6-9663-34013a71b76c/, where the reporter reported about the ability to upload HTML files with script tags. My report is about the ability to upload HTML files with iframe tags, bypassing the X-Frame-Options header

Adam Nygate
a year ago

Admin


Hi all, we've adjusted the CWE back to "Improper Restriction of Rendered UI Layers or Frames" and will be manually adjusting the bounty for this report.

to join this conversation