The main reason why we are moving to OpenFire 4.1.5 was that the clickjacking issue was picked up by the scans of our production box running OpenFire 3.10.2. We have not looked at 4.2 since is not released. Is there no way to fix this for 4.1.5? If so, how? Or this a “compiled” fix? (that is, there’s nothing that can be done from the configuration or admin console?)
Most pages should produce a X-Frame-Options header, but these are only for pages which are used by an authenticated user. login.jsp is not, and cannot be used in a clickjacking attack because that would require the attacker to know an admin username and password (and if they do, it seems a little pointless).
I appreciate the scanner will show this as, in effect, a false positive, though, and I can look into ensuring the same X-Frame-Options header is used for login.jsp as well.
Sorry for the delay, you make a very good point (with it applying to authenticated user at the console).
So, to ensure that the X-Frame-Options header is used for login.jsp, would that only come about in a new version of Openfire ? Or a simple replacement/update of login.jsp that we could somehow use/deploy right away?
(I am not a java programmer but could learn to compile/repackage if need be)