Bug 1352912 - Cross-Frame Scripting (XFS) vulnerability
Summary: Cross-Frame Scripting (XFS) vulnerability
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-05 13:08 UTC by Vinay Mishra
Modified: 2016-11-04 05:56 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-04 05:56:16 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC
FedoraHosted FreeIPA 4631 None None None 2016-07-05 13:08 UTC

Description Vinay Mishra 2016-07-05 13:08:31 UTC
Description of problem:

Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct
phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks.

Version-Release number of selected component (if applicable):

ipa-server-4.2.0-15.el7_2.17.x86_64


Expected results:

"X-Frame-Options" header should be present in header of each server response. It will inform web browsers whether it can be framed on certain sites.


Additional info:
Upstream Bugzilla 
https://fedorahosted.org/freeipa/ticket/4631

Comment 2 Petr Vobornik 2016-07-07 11:43:46 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4631

Comment 3 Petr Vobornik 2016-07-07 11:48:40 UTC
Fixed in rebase to upstream 4.4.

Comment 4 Kaleem 2016-07-14 11:24:16 UTC
How we can verify this?

Comment 9 Kaleem 2016-08-29 09:43:22 UTC
How QE will verify this?

Comment 10 Petr Vobornik 2016-08-29 15:11:56 UTC
You should not be able to open IPA Web UI in a frame.

1. So create a simple webpage with iframe which points to IPA. 
2. It should fail to load IPA.

Comment 11 Kaleem 2016-09-19 11:03:24 UTC
Verified.

[root@dhcp207-129 ~]# rpm -q ipa-server
ipa-server-4.4.0-12.el7.x86_64
[root@dhcp207-129 ~]# 


Please find the attached screen shot and web page html used to test this.

Comment 15 errata-xmlrpc 2016-11-04 05:56:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.