https://bugzilla.wikimedia.org/show_bug.cgi?id=26561
Summary: Clickjacking vulnerabilities
Product: MediaWiki
Version: 1.16.0
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: Normal
Component: General/Unknown
AssignedTo: tstarl...@wikimedia.org
ReportedBy: tstarl...@wikimedia.org
Clickjacking is a type of vulnerability discovered in 2008, which is similar to
CSRF.
The attack involves displaying the target webpage in a iframe embedded in a
malicious website. Using CSS, the submit button of the form on the target
webpage is made invisible, and then overlaid with some button or link on the
malicious website that encourages the user to click on it. For more
information, see:
http://en.wikipedia.org/wiki/Clickjacking
http://www.owasp.org/index.php/Clickjacking
Web browsers have standardised on a defence called X-Frame-Options, which puts
the onus on the web application to prevent framing of sensitive content.
Wikipedia user PleaseStand brought it to our attention that despite the passage
of more than two years, MediaWiki still had no defence against clickjacking.
PleaseStand pointed out that when user or site JavaScript or CSS is enabled
($wgAllowUserJs, $wgAllowUserCss, $wgUseSiteJs or $wgUseSiteCss), clickjacking
is essentially equivalent to cross-site scripting (XSS), that is to say, it
allows full compromise of the account of the user visiting the malicious
website.
A fix will be shortly released, in MediaWiki 1.16.1. Our approach is to allow
framing of basic page views and search pages, but to deny framing of special
pages unless they have explicitly opted out of clickjacking protection. By
taking this moderate approach, instead of denying all framing, we hope to avoid
having system administrators disable the security feature by patching it out.
Security-conscious system administrators may wish to disable framing entirely
using $wgBreakFrames = true. In MediaWiki 1.16.1 or later, this will provide
protection against clickjacking vulnerabilities in extensions which opt out
incorrectly or embed sensitive forms on pages which are opted out.
Alternatively, you can configure your web server to send an X-Frame-Options
header on all pages. For example with Apache mod_headers:
Header always set X-Frame-Options DENY
For MediaWiki 1.15.x or earlier branches, we will provide a simplified security
patch which denies all framing.
Extensions which wish to allow framing on a given page should do so by calling
$wgOut->allowClickjacking(). This should only be done on pages which do not
contain CSRF-protected forms or links. Any extension which embeds a
CSRF-protected form in an unprotected article view page should call
$wgOut->preventClickjacking(), after Article::view() has called
$wgOut->allowClickjacking(), to reset the flag.
To be protected against clickjacking, all users need to use a browser which
supports the X-Frame-Options header. Our patch does include standard
frame-breaking JavaScript code, but this is known to be insufficient for most
browsers. See the OWASP article for more details. For information on supported
browsers, see:
<https://developer.mozilla.org/en/the_x-frame-options_response_header>
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
