** Description changed: - = Impact = - A remote attacker could trick users into performing unintended actions within the application. + [Test Case] + Without the fix: + 1. Install MAAS. + 2. Create web page on other domain that loads MAAS in an IFRAME. + 3. MAAS loads and is usable. - = Details = - The MAAS application has no protection against user-interface redressing attacks like clickjacking. By - displaying the application in carefully constructed iframes on an unrelated domain, an attacker may - be able to deceive users into performing one or two-click actions in the context of the application, - such as deploying a charm. The impact of a successful clickjacking attack is similar to that of cross-site - request forgery. - See http://www.sectheory.com/clickjacking.htm for a worked demonstration of a clickjacking attack. + With the fix: + 3. MAAS should not display, or should break out of the IFRAME. - = Exploitability = - An attacker can only create exploits for forms that he would be able to view, as he would need to - know the URL and positioning of the target forms. The attacker would also have to persuade a logged- - in user to visit and click once or twice on the page under his control. - A well-executed clickjacking attack is likely to go unnoticed by its victims. + Impact: + A remote attacker could trick users into performing unintended actions + within the application. - = Remediation = - The application should instruct browsers not to allow other websites to load it in a frame, by adding - the X-Frame-Options: SAMEORIGIN server header. + Commentary: + The MAAS application has no protection against user-interface + redressing attacks like clickjacking. By displaying the application in + carefully constructed iframes on an unrelated domain, an attacker may + be able to deceive users into performing one or two-click actions in + the context of the application, such as deploying a charm. The impact + of a successful clickjacking attack is similar to that of cross-site + request forgery. See http://www.sectheory.com/clickjacking.htm for a + worked demonstration of a clickjacking attack. + + Exploitability: + An attacker can only create exploits for forms that he would be able + to view, as he would need to know the URL and positioning of the + target forms. The attacker would also have to persuade a logged- in + user to visit and click once or twice on the page under his control. + A well-executed clickjacking attack is likely to go unnoticed by its + victims. + + Remediation: + The application should instruct browsers not to allow other websites + to load it in a frame, by adding the X-Frame-Options: SAMEORIGIN + server header.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1298784 Title: Vulnerable to user-interface redressing (e.g. clickjacking) To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1298784/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
