+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6)
+--- Forum: Issues (https://forum.codeigniter.com/forumdisplay.php?fid=19)
+--- Thread: Clickjacking Vulnerability Found (/showthread.php?tid=61610)
Clickjacking Vulnerability Found - hardikpatel1644 - 04-30-2015
Hello Team,
We found Clickjacking Vulnerability ( https://www.owasp.org/index.php/Clickjacking ) in CodeIgniter version 2.1.4.
Is there any solution to resolve this Vulnerability .
Special thanks to TARAL OZA to find this Vulnerability.
Thanks & Regards
Hardik Patel ( Head - Product Development @ TechDefence )
Taral Oza ( Sr. Software Developer @ TechDefence )
RE: Clickjacking Vulnerability Found - ciadmin - 04-30-2015
First step: upgrade to latest release of the CodeIgniter 2 branch, 2.2.2: https://github.com/bcit-ci/CodeIgniter/archive/2.2.2.zip
If the problem is still there, please send an email with details to security@codeigniter.com
Thanks!
RE: Clickjacking Vulnerability Found - Mel9pr - 05-01-2015
(04-30-2015, 03:12 AM)hardikpatel1644 Wrote: Hello Team,
We found Clickjacking Vulnerability ( https://www.owasp.org/index.php/Clickjacking ) in CodeIgniter version 2.1.4.
Is there any solution to resolve this Vulnerability .
Special thanks to TARAL OZA to find this Vulnerability.
Thanks & Regards
Hardik Patel ( Head - Product Development @ TechDefence )
Taral Oza ( Sr. Software Developer @ TechDefence )
One option could be using $this->output->set_header('X-FRAME-OPTIONS: DENY'); on your header
more info about clickjaking here: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
RE: Clickjacking Vulnerability Found - kilishan - 05-01-2015
As Mel9pr said, the easiest protection seems to be setting the head from a MY_Controller so that all pages send that. Or at least any pages that use frames, if I'm reading those pages correctly.
From what OWASP is saying this is not a server-side framework flaw. Instead, this is related to how your site is created. If you're not using frames, this won't be an issue. If you are, then you should include some frame-busting code (along with that header) to fix any issues. The Clickjacking Defense Cheat Sheet has all of the answers you need there.