Информационная безопасность
[RU] switch to English


Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  Multiple vulnerabilities in Vulcan theme for WordPress + WAF bypass

  [SECURITY] [DSA 3295-1] cacti security update

  CVE-2015-3443 XSS in Thycotic Secret Server version 8.6.000000 to 8.8.000004

  ManageEngine Asset Explorer v6.1 - Persistent Vulnerability

From:otr_(at)_bockcay.de <otr_(at)_bockcay.de>
Date:5 июля 2015 г.
Subject:CollabNet Subversion Edge missing clickjacking protection



# Vuln Title: The CollabNet Subversion Edge Management Frontend does not
# implement clickjacking protection
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Clickjacking
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0

Timeline:

2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure

Summary:

It might be possible for a web page controlled by an attacker to load the
content of this response within an iframe on the attacker's page. The
application's response does not set a suitable X-Frame-Options header in order
to prevent framing attacks.

Fix proposal:

To effectively prevent framing attacks, the application should return a response
header with the name X-Frame-Options and the value DENY to prevent framing
altogether, or the value SAMEORIGIN to allow framing only by pages on the same
origin as the response itself.

Vendor fix:

X-Frame-Options is set by default to DENY. It is configurable.

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород