Im failing PCI compliance and need to resolve this issue. Can anyone help me? Im on PHPbb 3.2.1, does 3.2.2 resolve this vulnerability?
Title:
Web Application Potentially Vulnerable to Clickjacking
Synopsis:
The remote web server may fail to mitigate a class of web application
vulnerabilities.
Impact:
The remote web server does not set an X-Frame-Options response
header or a Content-Security-Policy 'frame-ancestors' response header
in all content responses. This could potentially expose the site to a
clickjacking or UI redress attack, in which an attacker can trick a user
into clicking an area of the vulnerable page that is different than what the
user perceives the page to be. This can result in a user performing
fraudulent or malicious transactions. X-Frame-Options has been
proposed by Microsoft as a way to mitigate clickjacking attacks and is
currently supported by all major browser vendors. Content-Security-
Policy (CSP) has been proposed by the W3C Web Application Security
Working Group, with increasing support among all major browser
vendors, as a way to mitigate clickjacking and other attacks. The 'frameancestors'
policy directive restricts which sources can embed the
protected resource. Note that while the X-Frame-Options and Content-
Security-Policy response headers are not the only mitigations for
clickjacking, they are currently the most reliable methods that can be
detected through automation. Therefore, this plugin may produce false
positives if other mitigation strategies (e.g., frame-busting JavaScript)
are deployed or if the page does not perform any security-sensitive
transactions. See also :
http://www.nessus.org/u?399b1f56
https://www.owasp.org/index.php/Clickja ... heat_Sheet
https://en.wikipedia.org/wiki/Clickjacking
Resolution:
Return the X-Frame-Options or Content-Security-Policy (with the 'frameancestors'
directive) HTTP header with the page's response. This
prevents the page's content from being rendered by another site when
using the frame or iframe HTML tags.