activemq-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Furman (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMQ-6113) Security issue: required to add "X-Frame-Options SAMEORIGIN" for web console
Date Thu, 07 Jan 2016 14:23:39 GMT

     [ https://issues.apache.org/jira/browse/AMQ-6113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Michael Furman updated AMQ-6113:
--------------------------------
    Description: 
ActiveMQ is part of our installation.

When I run the Nessus vulnerability scanner on our server it found the following vulnerability
on ActiveMQ  webconsole:

Web Application Potentially Vulnerable to Clickjacking


Description
The remote web server does not set an X-Frame-Options response header in all content responses.
This could potentially expose the site to a clickjacking or UI Redress attack wherein an attacker
can trick a user into clicking an area of the vulnerable page that is different than what
the user perceives the page to be. This can result in a user performing fraudulent or malicious
transactions.

X-Frame-Options has been proposed by Microsoft as a way to mitigate clickjacking attacks and
is currently supported by all major browser vendors.

Note that while the X-Frame-Options response header is not the only mitigation for clickjacking,
it is currently the most reliable method to detect through automation. Therefore, this plugin
may produce false positives if other mitigation strategies (e.g frame-busting JavaScript)
are deployed or if the page does not perform any security-sensitive transactions.
Solution
Return the X-Frame-Options HTTP header with the page's response.

This prevents the page's content from being rendered by another site when using the frame
or iframe HTML tags.
See Also
http://www.nessus.org/u?1bced8d9
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
http://en.wikipedia.org/wiki/Clickjacking
Output

    The following pages do not use an X-Frame-Options response header :

      - https://10.100.10.10:8072/



  was:
ActiveMQ is part of our installation.

When I run the Nessul scunner on our server it found the following vulnerability on ActiveMQ
 webconsole:

Web Application Potentially Vulnerable to Clickjacking


Description
The remote web server does not set an X-Frame-Options response header in all content responses.
This could potentially expose the site to a clickjacking or UI Redress attack wherein an attacker
can trick a user into clicking an area of the vulnerable page that is different than what
the user perceives the page to be. This can result in a user performing fraudulent or malicious
transactions.

X-Frame-Options has been proposed by Microsoft as a way to mitigate clickjacking attacks and
is currently supported by all major browser vendors.

Note that while the X-Frame-Options response header is not the only mitigation for clickjacking,
it is currently the most reliable method to detect through automation. Therefore, this plugin
may produce false positives if other mitigation strategies (e.g frame-busting JavaScript)
are deployed or if the page does not perform any security-sensitive transactions.
Solution
Return the X-Frame-Options HTTP header with the page's response.

This prevents the page's content from being rendered by another site when using the frame
or iframe HTML tags.
See Also
http://www.nessus.org/u?1bced8d9
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
http://en.wikipedia.org/wiki/Clickjacking
Output

    The following pages do not use an X-Frame-Options response header :

      - https://10.100.10.10:8072/




> Security issue: required to add "X-Frame-Options SAMEORIGIN" for web console
> ----------------------------------------------------------------------------
>
>                 Key: AMQ-6113
>                 URL: https://issues.apache.org/jira/browse/AMQ-6113
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: security, webconsole
>         Environment: centos 6
>            Reporter: Michael Furman
>
> ActiveMQ is part of our installation.
> When I run the Nessus vulnerability scanner on our server it found the following vulnerability
on ActiveMQ  webconsole:
> Web Application Potentially Vulnerable to Clickjacking
> Description
> The remote web server does not set an X-Frame-Options response header in all content
responses. This could potentially expose the site to a clickjacking or UI Redress attack wherein
an attacker can trick a user into clicking an area of the vulnerable page that is different
than what the user perceives the page to be. This can result in a user performing fraudulent
or malicious transactions.
> X-Frame-Options has been proposed by Microsoft as a way to mitigate clickjacking attacks
and is currently supported by all major browser vendors.
> Note that while the X-Frame-Options response header is not the only mitigation for clickjacking,
it is currently the most reliable method to detect through automation. Therefore, this plugin
may produce false positives if other mitigation strategies (e.g frame-busting JavaScript)
are deployed or if the page does not perform any security-sensitive transactions.
> Solution
> Return the X-Frame-Options HTTP header with the page's response.
> This prevents the page's content from being rendered by another site when using the frame
or iframe HTML tags.
> See Also
> http://www.nessus.org/u?1bced8d9
> https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
> http://en.wikipedia.org/wiki/Clickjacking
> Output
>     The following pages do not use an X-Frame-Options response header :
>       - https://10.100.10.10:8072/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message