Welcome Guest, Not a member yet? Register   Sign In
Clickjacking Vulnerability Found
#1
Bug 

Hello Team,

We found Clickjacking Vulnerability ( https://www.owasp.org/index.php/Clickjacking ) in CodeIgniter version 2.1.4.  

Is there any solution to  resolve this Vulnerability .

Special thanks to TARAL OZA  to find this Vulnerability.

Thanks & Regards
Hardik Patel ( Head - Product Development @ TechDefence )
Taral Oza ( Sr. Software Developer  @ TechDefence )
Reply
#2

First step: upgrade to latest release of the CodeIgniter 2 branch, 2.2.2: https://github.com/bcit-ci/CodeIgniter/a.../2.2.2.zip

If the problem is still there, please send an email with details to [email protected]

Thanks!
Reply
#3

(04-30-2015, 03:12 AM)hardikpatel1644 Wrote: Hello Team,

We found Clickjacking Vulnerability ( https://www.owasp.org/index.php/Clickjacking ) in CodeIgniter version 2.1.4.  

Is there any solution to  resolve this Vulnerability .

Special thanks to TARAL OZA  to find this Vulnerability.

Thanks & Regards
Hardik Patel ( Head - Product Development @ TechDefence )
Taral Oza ( Sr. Software Developer  @ TechDefence )

One option could be using $this->output->set_header('X-FRAME-OPTIONS: DENY'); on your header

more info about clickjaking here: https://www.owasp.org/index.php/Clickjac...heat_Sheet
Reply
#4

As Mel9pr said, the easiest protection seems to be setting the head from a MY_Controller so that all pages send that. Or at least any pages that use frames, if I'm reading those pages correctly.

From what OWASP is saying this is not a server-side framework flaw. Instead, this is related to how your site is created. If you're not using frames, this won't be an issue. If you are, then you should include some frame-busting code (along with that header) to fix any issues. The Clickjacking Defense Cheat Sheet has all of the answers you need there.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB