Bug 1352912 - Cross-Frame Scripting (XFS) vulnerability
Summary: Cross-Frame Scripting (XFS) vulnerability
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
Depends On:
TreeView+ depends on / blocked
Reported: 2016-07-05 13:08 UTC by Vinay Mishra
Modified: 2019-12-16 06:01 UTC (History)
5 users (show)

Fixed In Version: ipa-4.4.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-11-04 05:56:16 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
FedoraHosted FreeIPA 4631 0 None None None 2016-07-05 13:08:30 UTC
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Vinay Mishra 2016-07-05 13:08:31 UTC
Description of problem:

Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct
phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks.

Version-Release number of selected component (if applicable):


Expected results:

"X-Frame-Options" header should be present in header of each server response. It will inform web browsers whether it can be framed on certain sites.

Additional info:
Upstream Bugzilla 

Comment 2 Petr Vobornik 2016-07-07 11:43:46 UTC
Upstream ticket:

Comment 3 Petr Vobornik 2016-07-07 11:48:40 UTC
Fixed in rebase to upstream 4.4.

Comment 4 Kaleem 2016-07-14 11:24:16 UTC
How we can verify this?

Comment 9 Kaleem 2016-08-29 09:43:22 UTC
How QE will verify this?

Comment 10 Petr Vobornik 2016-08-29 15:11:56 UTC
You should not be able to open IPA Web UI in a frame.

1. So create a simple webpage with iframe which points to IPA. 
2. It should fail to load IPA.

Comment 11 Kaleem 2016-09-19 11:03:24 UTC

[root@dhcp207-129 ~]# rpm -q ipa-server
[root@dhcp207-129 ~]# 

Please find the attached screen shot and web page html used to test this.

Comment 15 errata-xmlrpc 2016-11-04 05:56:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.