Improper Restriction of Rendered UI Layers or Frames in namelessmc/nameless

Valid

Reported on

Oct 14th 2021


Description

Nameless is vulnerable to clickjacking because it does not have the X-Frame-Options header set to DENY or SAMEORIGIN (only nginx proxy has it).

This header is important because it prevents other websites from Iframing the website. If the website can be iframed, then the attacker can host a malicious iframe on their site and trick the user into pressing buttons which disables the forum etc.)

Proof of Concept

Open this HTML file in your browser to see that the website can

<iframe src="http://10.0.2.15/index.php?route=/panel/core/modules/">

Impact

This vulnerability is capable of tricking the admin user into disabling or enabling the forum. etc.

We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 months ago
We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 months ago
We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 months ago
We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 months ago
haxatron submitted a
2 months ago
haxatron
2 months ago

Researcher


Patch commit: https://github.com/Haxatron/Nameless/commit/35eac8774ac6f66151bcbdedcbc9504db5e54fa5

Sam
2 months ago

Whilst this rule does exist in both the .htaccess file and the nginx example configuration, I do agree that this is probably best placed within PHP to cover all installations.

Thanks for this

Sam validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sam confirmed that a fix has been merged on 35eac8 2 months ago
haxatron has been awarded the fix bounty