Insufficient UI Warning of Dangerous Operations in postfixadmin/postfixadmin

Valid

Reported on

Aug 4th 2021

✍️ Description

clickjacking attack

🕵️‍♂️ Proof of Concept

i see there is no X-Frame-Options reseponse header present which allow to load entire website in iframe . And using this clickjacking attack can be performed .

<iframe src=http://localhost/postfixadmin/public/list.php?table=admin height=600px width=600px>

💥 Impact

clickjacking attack

Occurrences

delete.php L6

Z-Old

commented 2 years ago

Admin

Hey ranjit-git, I've contacted their team about this. Waiting to hear back.

We have contacted a member of the postfixadmin team and are waiting to hear back 2 years ago

A postfixadmin/postfixadmin maintainer

commented 2 years ago

Maintainer

Hello - Thanks for taking the time to investigate PostfixAdmin and report issues.

I think I'm a bit clueless about what a clickjacking attack entails.

I understand the above iframe would display postfixadmin within an iframe on a third party page, but how's that a problem ? (As long as PostfixAdmin isn't using a GET request to change state, this should be safe?)

A postfixadmin/postfixadmin maintainer

commented 2 years ago

Maintainer

see https://github.com/postfixadmin/postfixadmin/commit/12ed3fba3dec2d1efcc31f7b86ac3e7de833dee3

ranjit-git

commented 2 years ago

Researcher

Here you can read more about clickjacking attack https://portswigger.net/web-security/clickjacking
https://www.imperva.com/learn/application-security/clickjacking/
https://owasp.org/www-community/attacks/Clickjacking
I did not gave you here a full proof exploit . I thought you might aware about this type vulnerability .
If you still need a exploit code then i can provide you one .
And plz validate the report .
Thanks

A postfixadmin/postfixadmin maintainer

commented 2 years ago

Maintainer

Thanks for the links!

A postfixadmin/postfixadmin maintainer validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

A postfixadmin/postfixadmin maintainer marked this as fixed with commit 12ed3f 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A postfixadmin/postfixadmin maintainer

commented 2 years ago

Maintainer

Hi - is ^ all correct now?

(have I properly credited/attributed the issue to you and clicked on the right things here?)

Jamie Slome

commented 2 years ago

Admin

Yes!

to join this conversation

Z-Old

commented 2 years ago

Admin

Hey ranjit-git, I've contacted their team about this. Waiting to hear back.

We have contacted a member of the postfixadmin team and are waiting to hear back 2 years ago

A postfixadmin/postfixadmin maintainer

commented 2 years ago

Maintainer

Hello - Thanks for taking the time to investigate PostfixAdmin and report issues.

I think I'm a bit clueless about what a clickjacking attack entails.

A postfixadmin/postfixadmin maintainer

commented 2 years ago

Maintainer

see https://github.com/postfixadmin/postfixadmin/commit/12ed3fba3dec2d1efcc31f7b86ac3e7de833dee3

ranjit-git

commented 2 years ago

Researcher

A postfixadmin/postfixadmin maintainer

commented 2 years ago

Maintainer

Thanks for the links!

A postfixadmin/postfixadmin maintainer validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

A postfixadmin/postfixadmin maintainer marked this as fixed with commit 12ed3f 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A postfixadmin/postfixadmin maintainer

commented 2 years ago

Maintainer

Hi - is ^ all correct now?

(have I properly credited/attributed the issue to you and clicked on the right things here?)

Jamie Slome

commented 2 years ago

Admin

Yes!

to join this conversation