Improper Restriction of Rendered UI Layers or Frames in namelessmc/nameless


Reported on

Oct 14th 2021


Nameless is vulnerable to clickjacking because it does not have the X-Frame-Options header set to DENY or SAMEORIGIN (only nginx proxy has it).

This header is important because it prevents other websites from Iframing the website. If the website can be iframed, then the attacker can host a malicious iframe on their site and trick the user into pressing buttons which disables the forum etc.)

Proof of Concept

Open this HTML file in your browser to see that the website can

<iframe src="">


This vulnerability is capable of tricking the admin user into disabling or enabling the forum. etc.

We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 years ago
haxatron submitted a
2 years ago
2 years ago


Patch commit:

2 years ago


Whilst this rule does exist in both the .htaccess file and the nginx example configuration, I do agree that this is probably best placed within PHP to cover all installations.

Thanks for this

Sam validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sam marked this as fixed with commit 35eac8 2 years ago
haxatron has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation