You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flume.apache.org by "Denes Arvay (JIRA)" <ji...@apache.org> on 2017/09/05 13:54:00 UTC
[jira] [Created] (FLUME-3160) http-generic-click-jacking reported
for the metrics server
Denes Arvay created FLUME-3160:
----------------------------------
Summary: http-generic-click-jacking reported for the metrics server
Key: FLUME-3160
URL: https://issues.apache.org/jira/browse/FLUME-3160
Project: Flume
Issue Type: Bug
Affects Versions: 1.7.0
Reporter: Denes Arvay
Priority: Trivial
Vulnerability scanners report the HTTP metrics server vulnerable for http-generic-click-jacking.
Although this isn't a big issue per se (it shouldn't be accessible publicly, no unintended interaction can be done with it), but some audits might require this to be fixed.
{noformat}
vulnerability ID : http-generic-click-jacking
Vulnerability Description : Clickjacking, also known as a UI redress attack, is a method in which an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on a page other than the one they believe they are clicking. Thus, the attacker is "hijacking" clicks meant for one page and routing the user to an illegitimate page.
Affected ports : 41414
Vulnerability proof :
"* Running HTTP service
HTTP request to http://localhost:41414/
HTTP response code was an expected 200
1: text/html; charset=utf-8
HTTP header 'Content-Type' was present and matched expectation
HTTP header 'Content-Security-Policy' not present
HTTP header 'X-Frame-Options' not present"
{noformat}
The fix would be to add the X-Frame-Options header with the proper value.
For more information see: http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)