Openfire web server potentially vulnerable to clickjacking

ajamali · April 13, 2016, 3:26pm

Hello,

We are running vulnerability scan assignment and I’ve got a scan report today detecting a possible clickjacking vulnerability on our openfire web server application.

The following pages do not use an X-Frame-Options response header

http://openfireserveripaddress:7070/

http://openfireserveripaddress:9090/js/tooltips/

http://openfireserveripaddress:9090/js/jscalendar/

http://openfireserveripaddress:9090/login.jsp

http://openfireserveripaddress:9090/

http://openfireserveripaddress:9090/style/

http://openfireserveripaddress:9090/setup/

http://openfireserveripaddress:9090/js/

http://openfireserveripaddress:9090/images/

Is there any way to enable the X-Frame-Options for that pages?

Regards

gdc001 · October 2, 2017, 4:20pm

I am about to deploy a server running Openfire 4.1.5. And our scans also show:

The following pages do not use a clickjacking mitigation response header and contain a clickable event :
- http://myIMserver.com:9090/login.jsp

How do I fix this? Please help…

akrherz · October 2, 2017, 4:27pm

OF-997 would indicate these were fixed for 4.1.0, are you able to test a 4.2.0 build with your scan?

dwd · October 3, 2017, 8:07am

None of these pages are realistically vulnerable to clickjacking, since none of these have clickable events that an attacker can perform unauthenticated. All authenticated pages use X-Frame-Options header fields which prevent an attacker doing anything useful.

I can close off the login.jsp one easily enough, but I don’t think this is a security issue.

I really don’t think that placing the header field on images will make much difference to anything.