Cross-Frame Scripting - [OWASP 2010 A 10] vulnerability found on ZCC page

  • 7012761
  • 02-Jul-2013
  • 16-Jan-2014

Environment

Novell ZENworks Configuration Management 11.2.3

Situation

If a page is allowed to be embedded inside an HTML frame by another page, this may be used by a phishing site to replicate the look and feel of this page.

Resolution

This is fixed in version 11.2.4 - see KB 7012027 "ZENworks Configuration Management 11.2.4 - update information and list of fixes" which can be found at https://support.microfocus.com/kb/doc.php?id=7012027

Provided the options as part of the response in index.jsp which will avoid the CSF vulnerabilities

Cause

Cross-frame scripting is a type of a phishing attack that involves instructions to an unsuspecting user to follow a specific link to update confidential information in an online application.

Status

Security Alert

Additional Information

Assigned CVE-2013-6344

An attacker may be able to steal sensitive information or make a victim perform certain actions without his knowledge through attacks such as Phishing or Click-jacking. In some cases, the attacker may also be able to take control of the user’s machine. Web pages that can be embedded in frames allow an attacker to perform such attacks.

we found that the cross frame scripting can be avoided by introducing tokens as part part of the each request session so that each request will be unique for the server and can be avoid the cross frame scripting. Microsoft has now included a defense that allows developers to specify that pages should not be framed. They use a new (nonstandard) X-FRAME-OPTIONS header to mark responses that shouldn't be framed. There are two options with X-FRAME-OPTIONS. The first is DENY, which prevents everyone from framing the content. The other option is SAMEORIGIN, which only allows the current site to frame the content.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.