powered by Jive Software

ClickJacking finding on Openfire 4.1.5

I have the following finding in our our pre-deployment Openfire Server (4.1.5)

The following pages do not use a clickjacking mitigation response header and contain a clickable event :
- http://ourIMserver.com:9090/login.jsp

How do I fix this? thanks.

The main reason why we are moving to OpenFire 4.1.5 was that the clickjacking issue was picked up by the scans of our production box running OpenFire 3.10.2. We have not looked at 4.2 since is not released. Is there no way to fix this for 4.1.5? If so, how? Or this a “compiled” fix? (that is, there’s nothing that can be done from the configuration or admin console?)

Thanks.

-g

what scanner did you use?

SecurityCenter by Tenable and Nessus vulnerability scanner

thanks. I run the same scanner, so I’ll see if I can reproduce your results. what profile are you uses?

Most pages should produce a X-Frame-Options header, but these are only for pages which are used by an authenticated user. login.jsp is not, and cannot be used in a clickjacking attack because that would require the attacker to know an admin username and password (and if they do, it seems a little pointless).

I appreciate the scanner will show this as, in effect, a false positive, though, and I can look into ensuring the same X-Frame-Options header is used for login.jsp as well.

In this case, we run a full vulnerability scan. Does that make sense?

Sorry for the delay, you make a very good point (with it applying to authenticated user at the console).

So, to ensure that the X-Frame-Options header is used for login.jsp, would that only come about in a new version of Openfire ? Or a simple replacement/update of login.jsp that we could somehow use/deploy right away?

(I am not a java programmer but could learn to compile/repackage if need be)

In any event, thanks for the insight

-g

I mean, you cannot mount a clickjacking attack on login.jsp. So you’re fine.

I’ll look into adding the header field, but not to correct any security issue - just that it’ll stop these false positives.

But please do run a full scan and report anything else you find.