Clickjacking Vulnerability Found |
Hello Team,
We found Clickjacking Vulnerability ( https://www.owasp.org/index.php/Clickjacking ) in CodeIgniter version 2.1.4. Is there any solution to resolve this Vulnerability . Special thanks to TARAL OZA to find this Vulnerability. Thanks & Regards Hardik Patel ( Head - Product Development @ TechDefence ) Taral Oza ( Sr. Software Developer @ TechDefence )
First step: upgrade to latest release of the CodeIgniter 2 branch, 2.2.2: https://github.com/bcit-ci/CodeIgniter/a.../2.2.2.zip
If the problem is still there, please send an email with details to [email protected] Thanks! (04-30-2015, 03:12 AM)hardikpatel1644 Wrote: Hello Team, One option could be using $this->output->set_header('X-FRAME-OPTIONS: DENY'); on your header more info about clickjaking here: https://www.owasp.org/index.php/Clickjac...heat_Sheet
As Mel9pr said, the easiest protection seems to be setting the head from a MY_Controller so that all pages send that. Or at least any pages that use frames, if I'm reading those pages correctly.
From what OWASP is saying this is not a server-side framework flaw. Instead, this is related to how your site is created. If you're not using frames, this won't be an issue. If you are, then you should include some frame-busting code (along with that header) to fix any issues. The Clickjacking Defense Cheat Sheet has all of the answers you need there. |
Welcome Guest, Not a member yet? Register Sign In |