[Bug 1298784] Re: Vulnerable to user-interface redressing (e.g. clickjacking)

[Gavin Panella]

** Description changed:

- = Impact =
- A remote attacker could trick users into performing unintended actions within the application.
+ [Test Case]
+ Without the fix:
+   1. Install MAAS.
+   2. Create web page on other domain that loads MAAS in an IFRAME.
+   3. MAAS loads and is usable.
  
- = Details =
- The MAAS application has no protection against user-interface redressing attacks like clickjacking. By
- displaying the application in carefully constructed iframes on an unrelated domain, an attacker may
- be able to deceive users into performing one or two-click actions in the context of the application,
- such as deploying a charm. The impact of a successful clickjacking attack is similar to that of cross-site
- request forgery.
- See http://www.sectheory.com/clickjacking.htm for a worked demonstration of a clickjacking attack.
+ With the fix:
+   3. MAAS should not display, or should break out of the IFRAME.
  
- = Exploitability =
- An attacker can only create exploits for forms that he would be able to view, as he would need to
- know the URL and positioning of the target forms. The attacker would also have to persuade a logged-
- in user to visit and click once or twice on the page under his control.
- A well-executed clickjacking attack is likely to go unnoticed by its victims.
+ Impact:
+   A remote attacker could trick users into performing unintended actions
+   within the application.
  
- = Remediation =
- The application should instruct browsers not to allow other websites to load it in a frame, by adding
- the X-Frame-Options: SAMEORIGIN server header.
+ Commentary:
+   The MAAS application has no protection against user-interface
+   redressing attacks like clickjacking. By displaying the application in
+   carefully constructed iframes on an unrelated domain, an attacker may
+   be able to deceive users into performing one or two-click actions in
+   the context of the application, such as deploying a charm. The impact
+   of a successful clickjacking attack is similar to that of cross-site
+   request forgery. See http://www.sectheory.com/clickjacking.htm for a
+   worked demonstration of a clickjacking attack.
+ 
+ Exploitability:
+   An attacker can only create exploits for forms that he would be able
+   to view, as he would need to know the URL and positioning of the
+   target forms. The attacker would also have to persuade a logged- in
+   user to visit and click once or twice on the page under his control.
+   A well-executed clickjacking attack is likely to go unnoticed by its
+   victims.
+ 
+ Remediation:
+   The application should instruct browsers not to allow other websites
+   to load it in a frame, by adding the X-Frame-Options: SAMEORIGIN
+   server header.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to maas in Ubuntu.
https://bugs.launchpad.net/bugs/1298784

Title:
  Vulnerable to user-interface redressing (e.g. clickjacking)

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1298784/+subscriptions