Environment
Novell ZENworks Configuration Management 11.2.3
Situation
If a page is allowed to be embedded inside an HTML frame by another page, this
may be used by a phishing site to replicate
the look and feel of this page.
Resolution
This is fixed in version 11.2.4 - see KB 7012027 "ZENworks
Configuration Management 11.2.4 - update information and list of fixes"
which can be found at https://support.microfocus.com/kb/doc.php?id=7012027
Provided the options as part of the response in index.jsp which will avoid the CSF vulnerabilities
Provided the options as part of the response in index.jsp which will avoid the CSF vulnerabilities
Cause
Cross-frame scripting is a type of a phishing attack that involves instructions
to an unsuspecting user to follow a
specific link to update confidential information in an online application.
Status
Security AlertAdditional Information
Assigned CVE-2013-6344
An attacker may be able to steal sensitive information or make a victim perform certain actions without his knowledge through attacks such as Phishing or Click-jacking. In some cases, the attacker may also be able to take control of the user’s machine. Web pages that can be embedded in frames allow an attacker to perform such attacks.
we found that the cross frame scripting can be avoided by introducing tokens as part part of the each request session so that each request will be unique for the server and can be avoid the cross frame scripting. Microsoft has now included a defense that allows developers to specify that pages should not be framed. They use a new (nonstandard) X-FRAME-OPTIONS header to mark responses that shouldn't be framed. There are two options with X-FRAME-OPTIONS. The first is DENY, which prevents everyone from framing the content. The other option is SAMEORIGIN, which only allows the current site to frame the content.
An attacker may be able to steal sensitive information or make a victim perform certain actions without his knowledge through attacks such as Phishing or Click-jacking. In some cases, the attacker may also be able to take control of the user’s machine. Web pages that can be embedded in frames allow an attacker to perform such attacks.
we found that the cross frame scripting can be avoided by introducing tokens as part part of the each request session so that each request will be unique for the server and can be avoid the cross frame scripting. Microsoft has now included a defense that allows developers to specify that pages should not be framed. They use a new (nonstandard) X-FRAME-OPTIONS header to mark responses that shouldn't be framed. There are two options with X-FRAME-OPTIONS. The first is DENY, which prevents everyone from framing the content. The other option is SAMEORIGIN, which only allows the current site to frame the content.