Web Application Potentially Vulnerable to Clickjacking

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
rapidrepair
Registered User
Posts: 14
Joined: Wed Feb 17, 2010 5:20 pm

Web Application Potentially Vulnerable to Clickjacking

Post by rapidrepair »

Im failing PCI compliance and need to resolve this issue. Can anyone help me? Im on PHPbb 3.2.1, does 3.2.2 resolve this vulnerability?

Title:
Web Application Potentially Vulnerable to Clickjacking
Synopsis:
The remote web server may fail to mitigate a class of web application
vulnerabilities.
Impact:
The remote web server does not set an X-Frame-Options response
header or a Content-Security-Policy 'frame-ancestors' response header
in all content responses. This could potentially expose the site to a
clickjacking or UI redress attack, in which an attacker can trick a user
into clicking an area of the vulnerable page that is different than what the
user perceives the page to be. This can result in a user performing
fraudulent or malicious transactions. X-Frame-Options has been
proposed by Microsoft as a way to mitigate clickjacking attacks and is
currently supported by all major browser vendors. Content-Security-
Policy (CSP) has been proposed by the W3C Web Application Security
Working Group, with increasing support among all major browser
vendors, as a way to mitigate clickjacking and other attacks. The 'frameancestors'
policy directive restricts which sources can embed the
protected resource. Note that while the X-Frame-Options and Content-
Security-Policy response headers are not the only mitigations for
clickjacking, they are currently the most reliable methods that can be
detected through automation. Therefore, this plugin may produce false
positives if other mitigation strategies (e.g., frame-busting JavaScript)
are deployed or if the page does not perform any security-sensitive
transactions. See also : http://www.nessus.org/u?399b1f56
https://www.owasp.org/index.php/Clickja ... heat_Sheet
https://en.wikipedia.org/wiki/Clickjacking
Resolution:
Return the X-Frame-Options or Content-Security-Policy (with the 'frameancestors'
directive) HTTP header with the page's response. This
prevents the page's content from being rendered by another site when
using the frame or iframe HTML tags.
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Web Application Potentially Vulnerable to Clickjacking

Post by david63 »

I have absolutely no idea what all that means but core phpBB does not, and has not for years, used iframe tags.
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
Lumpy Burgertushie
Registered User
Posts: 69223
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Web Application Potentially Vulnerable to Clickjacking

Post by Lumpy Burgertushie »

and there are no known vulnerabilities in phpbb 3
so, whatever that is is not something you need to worry about with phpbb.

luck,
robert
Premium phpBB 3.3 Styles by PlanetStyles.net

I am pleased to announce that I have completed the first item on my bucket list. I have the bucket.
User avatar
JoshyPHP
Code Contributor
Posts: 1288
Joined: Mon Jul 11, 2011 12:28 am

Re: Web Application Potentially Vulnerable to Clickjacking

Post by JoshyPHP »

Add the header via an extension. Check out phpBB's event list and pick whichever one's executed on every page: https://wiki.phpbb.com/Event_List

It's possible you'll need one event for normal pages and another for admin pages.
I wrote the library that handles markup in phpBB 3.2+.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5850
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Web Application Potentially Vulnerable to Clickjacking

Post by thecoalman »

david63 wrote: Fri Feb 23, 2018 10:25 pm I have absolutely no idea what all that means but core phpBB does not, and has not for years, used iframe tags.
This has to do with someone using an Iframe on their site with your page. They have a button that says "click here for free stuff". That's overlayed with a transparent iframe aligning a link on your page over the "click here for free stuff" button. e.g. they line up the "mark forums read" link.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 52767
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Web Application Potentially Vulnerable to Clickjacking

Post by stevemaury »

Not a phpBB issue.
I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
rapidrepair
Registered User
Posts: 14
Joined: Wed Feb 17, 2010 5:20 pm

Re: Web Application Potentially Vulnerable to Clickjacking

Post by rapidrepair »

I guess I still need help fixing this, can someone give me a step by step and or look at my forums to see whats going on here? PM me for link..
User avatar
Lumpy Burgertushie
Registered User
Posts: 69223
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Web Application Potentially Vulnerable to Clickjacking

Post by Lumpy Burgertushie »

fixing what? there is nothing wrong with phpbb. forget what that tells you and go on with enjoying your phpbb board.

robert
Premium phpBB 3.3 Styles by PlanetStyles.net

I am pleased to announce that I have completed the first item on my bucket list. I have the bucket.
rapidrepair
Registered User
Posts: 14
Joined: Wed Feb 17, 2010 5:20 pm

Re: Web Application Potentially Vulnerable to Clickjacking

Post by rapidrepair »

How do I tell if my phpbb installation is using iframes??
User avatar
RMcGirr83
Former Team Member
Posts: 22011
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr

Re: Web Application Potentially Vulnerable to Clickjacking

Post by RMcGirr83 »

A default install using a download from here doesn't have iframes within it.
Former Modifications/Extensions Team Member | My extensions | github | All requests for support via PM will be ignored
Appreciate the extensions/mods/support then buy me a beer Image
rapidrepair
Registered User
Posts: 14
Joined: Wed Feb 17, 2010 5:20 pm

Re: Web Application Potentially Vulnerable to Clickjacking

Post by rapidrepair »

JoshyPHP wrote: Fri Feb 23, 2018 10:42 pm Add the header via an extension. Check out phpBB's event list and pick whichever one's executed on every page: https://wiki.phpbb.com/Event_List

It's possible you'll need one event for normal pages and another for admin pages.
Can you help me out with this?
User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10550
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: Web Application Potentially Vulnerable to Clickjacking

Post by Noxwizard »

You should deal with this in your web server configuration. If it's Apache, add this to your httpd.conf:

Code: Select all

Header always append X-Frame-Options SAMEORIGIN
If you're on shared hosting, and depending on what your host allows in .htaccess files, you can add this to your .htaccess file:

Code: Select all

Header append X-FRAME-OPTIONS "SAMEORIGIN"
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.
Post Reply

Return to “[3.2.x] Support Forum”