Improper Restriction of Rendered UI Layers or Frames in flatcore/flatcore-cms

Valid

Reported on

Oct 11th 2021


Description

Attackers can trick admin users into performing actions because there is no X-Frame-Options: DENY header set by the application.

This header is important because it prevents other websites from Iframing the website. If the website can be iframed, then the attacker can host a malicious iframe on their site and trick the user into deletion of data.. etc)

Proof of Concept

<iframe src="http://[FLATCORE-IP]/flatCore-CMS/acp/acp.php?tn=posts">

Impact

This vulnerability is capable of tricking the admin user into deletion of data.

Recommended Fix

Add the X-Frame-Options: DENY header.

Patrick
a month ago

Maintainer


@haxatron it is secure enough to use X-Frame-Options: SAMEORIGIN If I use DENY, the preview (in the backend) no longer works.

haxatron
a month ago

Researcher


yes that works too!

Patrick validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick
a month ago

Maintainer


Thank you!

Patrick confirmed that a fix has been merged on e1496f a month ago
Patrick has been awarded the fix bounty