You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flume.apache.org by "Denes Arvay (JIRA)" <ji...@apache.org> on 2017/09/05 13:54:00 UTC

[jira] [Created] (FLUME-3160) http-generic-click-jacking reported for the metrics server

Denes Arvay created FLUME-3160:
----------------------------------

             Summary: http-generic-click-jacking reported for the metrics server
                 Key: FLUME-3160
                 URL: https://issues.apache.org/jira/browse/FLUME-3160
             Project: Flume
          Issue Type: Bug
    Affects Versions: 1.7.0
            Reporter: Denes Arvay
            Priority: Trivial


Vulnerability scanners report the HTTP metrics server vulnerable for http-generic-click-jacking.
Although this isn't a big issue per se (it shouldn't be accessible publicly, no unintended interaction can be done with it), but some audits might require this to be fixed.

{noformat}
vulnerability ID : http-generic-click-jacking

Vulnerability Description : Clickjacking, also known as a UI redress attack, is a method in which an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on a page other than the one they believe they are clicking. Thus, the attacker is "hijacking" clicks meant for one page and routing the user to an illegitimate page.

Affected ports : 41414

Vulnerability proof : 
"* Running HTTP service 
HTTP request to http://localhost:41414/ 
HTTP response code was an expected 200 
1: text/html; charset=utf-8 

HTTP header 'Content-Type' was present and matched expectation 
HTTP header 'Content-Security-Policy' not present 
HTTP header 'X-Frame-Options' not present"
{noformat}

The fix would be to add the X-Frame-Options header with the proper value.

For more information see: http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)