Insufficient UI Warning of Dangerous Operations in postfixadmin/postfixadmin

Valid

Reported on

Aug 4th 2021


✍️ Description

clickjacking attack

🕵️‍♂️ Proof of Concept

i see there is no X-Frame-Options reseponse header present which allow to load entire website in iframe . And using this clickjacking attack can be performed .

<iframe src=http://localhost/postfixadmin/public/list.php?table=admin height=600px width=600px>

💥 Impact

clickjacking attack

Occurences

Ziding Zhang
4 months ago

Admin


Hey ranjit-git, I've contacted their team about this. Waiting to hear back.

We have contacted a member of the postfixadmin team and are waiting to hear back 4 months ago
We have contacted a member of the postfixadmin team and are waiting to hear back 4 months ago
postfixadmin/postfixadmin maintainer
4 months ago

Hello - Thanks for taking the time to investigate PostfixAdmin and report issues.

I think I'm a bit clueless about what a clickjacking attack entails.

I understand the above iframe would display postfixadmin within an iframe on a third party page, but how's that a problem ? (As long as PostfixAdmin isn't using a GET request to change state, this should be safe?)

postfixadmin/postfixadmin maintainer
4 months ago

see https://github.com/postfixadmin/postfixadmin/commit/12ed3fba3dec2d1efcc31f7b86ac3e7de833dee3

ranjit-git
4 months ago

Researcher


Here you can read more about clickjacking attack https://portswigger.net/web-security/clickjacking
https://www.imperva.com/learn/application-security/clickjacking/
https://owasp.org/www-community/attacks/Clickjacking
I did not gave you here a full proof exploit . I thought you might aware about this type vulnerability .
If you still need a exploit code then i can provide you one .
And plz validate the report .
Thanks

postfixadmin/postfixadmin maintainer
4 months ago

Thanks for the links!

postfixadmin/postfixadmin maintainer validated this vulnerability 4 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
postfixadmin/postfixadmin maintainer confirmed that a fix has been merged on 12ed3f 4 months ago
The fix bounty has been dropped
postfixadmin/postfixadmin maintainer
4 months ago

Hi - is ^ all correct now?

(have I properly credited/attributed the issue to you and clicked on the right things here?)

Jamie Slome
4 months ago

Admin


Yes!